lists.openwall.net   lists  /  announce  owl-users  owl-dev  john-users  john-dev  passwdqc-users  yescrypt  popa3d-users  /  oss-security  kernel-hardening  musl  sabotage  tlsify  passwords  /  crypt-dev  xvendor  /  Bugtraq  Full-Disclosure  linux-kernel  linux-netdev  linux-ext4  linux-hardening  linux-cve-announce  PHC 
Open Source and information security mailing list archives
 
Hash Suite: Windows password security audit tool. GUI, reports in PDF.
[<prev] [next>] [day] [month] [year] [list] 
Message-Id: <20250121002652.1377138-1-ntranswe@gmail.com>
Date: Mon, 20 Jan 2025 16:26:52 -0800
From: Nathan Tran <ntranswe@...il.com>
To: netdev@...r.kernel.org
Cc: Nathan Tran <ntranswe@...il.com>
Subject: [PATCH] ipxfrm: Make xfrm_selector_print() output port ranges based on port masks

When listing policies with `ip xfrm policy list`, selector port ranges are not
displayed to the user even if sport_mask and dport_mask are not equal to 0xffff.

Here is an output example with the patch applied:

root@...56a327b1b:/# ip xfrm policy list
src fd00::2/128 dst fd00::10/128 proto 17 sport 40000-40031 dport 40000-40031
        dir out priority 268563
        tmpl src fd00::2 dst fd00::10
                proto esp spi 0x21900907 reqid 1 mode tunnel

Signed-off-by: Nathan Tran <ntranswe@...il.com>
---
 ip/ipxfrm.c | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/ip/ipxfrm.c b/ip/ipxfrm.c
index 90d25aac..3605c718 100644
--- a/ip/ipxfrm.c
+++ b/ip/ipxfrm.c
@@ -443,10 +443,20 @@ void xfrm_selector_print(struct xfrm_selector *sel, __u16 family,
 	case IPPROTO_SCTP:
 	case IPPROTO_DCCP:
 	default: /* XXX */
-		if (sel->sport_mask)
+		if (sel->sport_mask == 0xffff)
 			fprintf(fp, "sport %u ", ntohs(sel->sport));
-		if (sel->dport_mask)
+		else if (sel->sport_mask) {
+			fprintf(fp, "sport %u-%u ",
+				ntohs(sel->sport & sel->sport_mask),
+				ntohs(sel->sport | ~sel->sport_mask));
+		}
+		if (sel->dport_mask == 0xffff)
 			fprintf(fp, "dport %u ", ntohs(sel->dport));
+		else if (sel->dport_mask) {
+			fprintf(fp, "dport %u-%u ",
+				ntohs(sel->dport & sel->dport_mask),
+				ntohs(sel->dport | ~sel->dport_mask));
+		}
 		break;
 	case IPPROTO_ICMP:
 	case IPPROTO_ICMPV6:
-- 
2.25.1

Powered by blists - more mailing lists

Powered by Openwall GNU/*/Linux Powered by OpenVZ