diff options
| author |  Taehee Yoo <ap420073@gmail.com>
| 2018-11-05 18:23:25 +0900 |
|---|---|---|
| committer |  Pablo Neira Ayuso <pablo@netfilter.org>
| 2018-12-18 01:18:38 +0100 |
| commit | 06aa151ad1fc74a49b45336672515774a678d78d (patch) | |
| tree | d01a52c0745c152dd5ce354391de04461c830570 /net/ipv4 | |
| parent | netfilter: ipt_CLUSTERIP: fix sleep-in-atomic bug in clusterip_config_entry_p... (diff) | |
| download | linux-06aa151ad1fc74a49b45336672515774a678d78d.tar.gz linux-06aa151ad1fc74a49b45336672515774a678d78d.tar.bz2 linux-06aa151ad1fc74a49b45336672515774a678d78d.zip | |
netfilter: ipt_CLUSTERIP: check MAC address when duplicate config is set
If same destination IP address config is already existing, that config is
just used. MAC address also should be same.
However, there is no MAC address checking routine.
So that MAC address checking routine is added.
test commands:
%iptables -A INPUT -p tcp -i lo -d 192.168.0.5 --dport 80 \
-j CLUSTERIP --new --hashmode sourceip \
--clustermac 01:00:5e:00:00:20 --total-nodes 2 --local-node 1
%iptables -A INPUT -p tcp -i lo -d 192.168.0.5 --dport 80 \
-j CLUSTERIP --new --hashmode sourceip \
--clustermac 01:00:5e:00:00:21 --total-nodes 2 --local-node 1
After this patch, above commands are disallowed.
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Diffstat (limited to 'net/ipv4')
| -rw-r--r-- | net/ipv4/netfilter/ipt_CLUSTERIP.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index d4d549a46c04..b61977db9b7f 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c @@ -509,7 +509,8 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par) if (IS_ERR(config)) return PTR_ERR(config); } - } + } else if (memcmp(&config->clustermac, &cipinfo->clustermac, ETH_ALEN)) + return -EINVAL; ret = nf_ct_netns_get(par->net, par->family); if (ret < 0) { |