netfilter: ipset: hash:net,iface fixed to handle overlapping nets behind different interfaces (89dc79b7) · Commits · Mirrors / git.yoctoproject.org / linux-yocto

Commit 89dc79b7 authored Jul 21, 2011 by

Jozsef Kadlecsik Committed by Patrick McHardy Jul 21, 2011

netfilter: ipset: hash:net,iface fixed to handle overlapping nets behind different interfaces



If overlapping networks with different interfaces was added to
the set, the type did not handle it properly. Example

    ipset create test hash:net,iface
    ipset add test 192.168.0.0/16,eth0
    ipset add test 192.168.0.0/24,eth1

Now, if a packet was sent from 192.168.0.0/24,eth0, the type returned
a match.

In the patch the algorithm is fixed in order to correctly handle
overlapping networks.

Limitation: the same network cannot be stored with more than 64 different
interfaces in a single set.

Signed-off-by: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Signed-off-by: Patrick McHardy <kaber@trash.net>

parent a6a7b759

Hide whitespace changes

Inline Side-by-side

Please register or to comment