From: Jozsef Kadlecsik <kadlec@netfilter.org>
Date: Mon, 21 Nov 2022 12:16:56 +0000 (+0100)
Subject: netfilter: ipset: restore allowing 64 clashing elements in hash:net,iface
X-Git-Tag: v7.16~3
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=d0e0631ff8448841571cb2be31c0ddb7e2f86371;p=thirdparty%2Fipset.git

netfilter: ipset: restore allowing 64 clashing elements in hash:net,iface

The patch "netfilter: ipset: enforce documented limit to prevent allocating
huge memory" was too strict and prevented to add up to 64 clashing elements
to a hash:net,iface type of set. This patch fixes the issue and now the type
behaves as documented.
---

diff --git a/kernel/net/netfilter/ipset/ip_set_hash_gen.h b/kernel/net/netfilter/ipset/ip_set_hash_gen.h
index 9fc4f9d7..af389915 100644
--- a/kernel/net/netfilter/ipset/ip_set_hash_gen.h
+++ b/kernel/net/netfilter/ipset/ip_set_hash_gen.h
@@ -929,7 +929,7 @@ mtype_add(struct ip_set *set, void *value, const struct ip_set_ext *ext,
 #ifdef IP_SET_HASH_WITH_MULTI
 		if (h->bucketsize >= AHASH_MAX_TUNED)
 			goto set_full;
-		else if (h->bucketsize < multi)
+		else if (h->bucketsize <= multi)
 			h->bucketsize += AHASH_INIT_SIZE;
 #endif
 		if (n->size >= AHASH_MAX(h)) {