diff options
| author | Taehee Yoo | 2018-11-05 10:23:25 +0100 |
|---|---|---|
| committer | Greg Kroah-Hartman | 2019-01-26 09:32:40 +0100 |
| commit | 744383c88e2ef588e4e07e4c399e58d99ecfde18 (patch) | |
| tree | 532f5f6d7b64d14470ef10fc1184a4b2e9465001 | |
| parent | perf vendor events intel: Fix Load_Miss_Real_Latency on SKL/SKX (diff) | |
| download | kernel-qcow2-linux-744383c88e2ef588e4e07e4c399e58d99ecfde18.tar.gz kernel-qcow2-linux-744383c88e2ef588e4e07e4c399e58d99ecfde18.tar.xz kernel-qcow2-linux-744383c88e2ef588e4e07e4c399e58d99ecfde18.zip | |
netfilter: ipt_CLUSTERIP: check MAC address when duplicate config is set
[ Upstream commit 06aa151ad1fc74a49b45336672515774a678d78d ]
If same destination IP address config is already existing, that config is
just used. MAC address also should be same.
However, there is no MAC address checking routine.
So that MAC address checking routine is added.
test commands:
%iptables -A INPUT -p tcp -i lo -d 192.168.0.5 --dport 80 \
-j CLUSTERIP --new --hashmode sourceip \
--clustermac 01:00:5e:00:00:20 --total-nodes 2 --local-node 1
%iptables -A INPUT -p tcp -i lo -d 192.168.0.5 --dport 80 \
-j CLUSTERIP --new --hashmode sourceip \
--clustermac 01:00:5e:00:00:21 --total-nodes 2 --local-node 1
After this patch, above commands are disallowed.
Signed-off-by: Taehee Yoo <ap420073@gmail.com>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
| -rw-r--r-- | net/ipv4/netfilter/ipt_CLUSTERIP.c | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index 2c8d313ae216..e40e6795bd20 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c @@ -496,7 +496,8 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par) if (IS_ERR(config)) return PTR_ERR(config); } - } + } else if (memcmp(&config->clustermac, &cipinfo->clustermac, ETH_ALEN)) + return -EINVAL; ret = nf_ct_netns_get(par->net, par->family); if (ret < 0) { |