lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-ID: <2813882.HseEuK1kWK@tuxracer>
Date:	Thu, 20 Jun 2013 15:09:53 +0300
From:	Sergey Popovich <popovich_sergei@...l.ru>
To:	netdev@...r.kernel.org
Subject: ipset: hash:*net* doesnt match after entry removal (both inet, inet6 families)

Hello!

Deploying ip6?tables filtering rules on one of our server we spot following 
issue using Linux kernel 3.9.6 and ipset 6.19 as userlang and hash:*set* set 
type:

  Deleting previously added network prefix longer than any prefix, that already
  in set, causes future lookups on remaining prefixes not to match (both using 
  ipset(8) test command and ip6?tables(8) "set" match, on any hash:*net* set 
  type).

Tested on the following configurations:
  1. v3.9.6, ipset 6.19 (also 6.12.1)  : reproduced
  2. v3.8.13(EOL), ipset 6.12.1         : reproduced
  3. v3.2.46, ipset 6.12.1                  : not reproducable

Both IPv4 and IPv6 are affected.

Steps to reproduce (using ipset(8) test command for simplicity):
--------------------------------------------------------------------------------
#!/bin/bash -v

##  Create ipset for inet AFI
ipset create set-v4 hash:net family inet

## Add 192.168.1.0/24 prefix to set and check
ipset add set-v4 192.168.1.0/24
ipset test set-v4 192.168.1.0
192.168.1.0 is in set set-v4.
ipset test set-v4 192.168.1.255
192.168.1.255 is in set set-v4.

## Add 172.16.1.0/25 prefix to set and check
ipset add set-v4 172.16.1.0/25
ipset test set-v4 192.168.1.0
192.168.1.0 is in set set-v4.
ipset test set-v4 192.168.1.255
192.168.1.255 is in set set-v4.
ipset test set-v4 172.16.1.0
172.16.1.0 is in set set-v4.
ipset test set-v4 172.16.1.127
172.16.1.127 is in set set-v4.

## List set-v4 contents
ipset list set-v4
Name: set-v4
Type: hash:net
Header: family inet hashsize 1024 maxelem 65536 
Size in memory: 16824
References: 0
Members:
172.16.1.0/25
192.168.1.0/24

## Delete longer (more specific) prefix from the set
ipset del set-v4 172.16.1.0/25

## And test again remaining prefixes
ipset test set-v4 192.168.1.0
192.168.1.0 is NOT in set set-v4.
ipset test set-v4 192.168.1.255
192.168.1.255 is NOT in set set-v4.

## List set-v4 contents
ipset list set-v4
Name: set-v4
Type: hash:net
Header: family inet hashsize 1024 maxelem 65536 
Size in memory: 16824
References: 0
Members:
192.168.1.0/24

## Destroy set-v4
ipset destroy set-v4

-- 
SP5474-RIPE
Sergey Popovich

--
To unsubscribe from this list: send the line "unsubscribe netdev" in
the body of a message to majordomo@...r.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ