git.ipfire.org Git - thirdparty/kernel/stable-queue.git/blob

   1 From 57a78d3d928c7e5fc23bf388dff3e33386359d5c Mon Sep 17 00:00:00 2001
   2 From: Sasha Levin <sashal@kernel.org>
   3 Date: Thu, 29 Oct 2020 16:39:46 +0100
   4 Subject: netfilter: ipset: Update byte and packet counters regardless of
   5  whether they match
   6
   7 From: Stefano Brivio <sbrivio@redhat.com>
   8
   9 [ Upstream commit 7d10e62c2ff8e084c136c94d32d9a94de4d31248 ]
  10
  11 In ip_set_match_extensions(), for sets with counters, we take care of
  12 updating counters themselves by calling ip_set_update_counter(), and of
  13 checking if the given comparison and values match, by calling
  14 ip_set_match_counter() if needed.
  15
  16 However, if a given comparison on counters doesn't match the configured
  17 values, that doesn't mean the set entry itself isn't matching.
  18
  19 This fix restores the behaviour we had before commit 4750005a85f7
  20 ("netfilter: ipset: Fix "don't update counters" mode when counters used
  21 at the matching"), without reintroducing the issue fixed there: back
  22 then, mtype_data_match() first updated counters in any case, and then
  23 took care of matching on counters.
  24
  25 Now, if the IPSET_FLAG_SKIP_COUNTER_UPDATE flag is set,
  26 ip_set_update_counter() will anyway skip counter updates if desired.
  27
  28 The issue observed is illustrated by this reproducer:
  29
  30   ipset create c hash:ip counters
  31   ipset add c 192.0.2.1
  32   iptables -I INPUT -m set --match-set c src --bytes-gt 800 -j DROP
  33
  34 if we now send packets from 192.0.2.1, bytes and packets counters
  35 for the entry as shown by 'ipset list' are always zero, and, no
  36 matter how many bytes we send, the rule will never match, because
  37 counters themselves are not updated.
  38
  39 Reported-by: Mithil Mhatre <mmhatre@redhat.com>
  40 Fixes: 4750005a85f7 ("netfilter: ipset: Fix "don't update counters" mode when counters used at the matching")
  41 Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
  42 Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
  43 Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
  44 Signed-off-by: Sasha Levin <sashal@kernel.org>
  45 ---
  46  net/netfilter/ipset/ip_set_core.c | 3 ++-
  47  1 file changed, 2 insertions(+), 1 deletion(-)
  48
  49 diff --git a/net/netfilter/ipset/ip_set_core.c b/net/netfilter/ipset/ip_set_core.c
  50 index 133a3f1b6f56c..3cc4daa856d6b 100644
  51 --- a/net/netfilter/ipset/ip_set_core.c
  52 +++ b/net/netfilter/ipset/ip_set_core.c
  53 @@ -485,13 +485,14 @@ ip_set_match_extensions(struct ip_set *set, const struct ip_set_ext *ext,
  54         if (SET_WITH_COUNTER(set)) {
  55                 struct ip_set_counter *counter = ext_counter(data, set);
  56
  57 +               ip_set_update_counter(counter, ext, flags);
  58 +
  59                 if (flags & IPSET_FLAG_MATCH_COUNTERS &&
  60                     !(ip_set_match_counter(ip_set_get_packets(counter),
  61                                 mext->packets, mext->packets_op) &&
  62                       ip_set_match_counter(ip_set_get_bytes(counter),
  63                                 mext->bytes, mext->bytes_op)))
  64                         return false;
  65 -               ip_set_update_counter(counter, ext, flags);
  66         }
  67         if (SET_WITH_SKBINFO(set))
  68                 ip_set_get_skbinfo(ext_skbinfo(data, set),
  69 --
  70 2.27.0
  71