Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp5132103imu; Tue, 8 Jan 2019 12:06:10 -0800 (PST) X-Google-Smtp-Source: ALg8bN4L4Tws2k7O6ovbVw1MSH2i0oATFXLQyQqvHgbHqa9ctQA9N1+zwGHhYjSdBc4W/16KYFfP X-Received: by 2002:a17:902:820d:: with SMTP id x13mr3207547pln.229.1546977970289; Tue, 08 Jan 2019 12:06:10 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1546977970; cv=none; d=google.com; s=arc-20160816; b=Sr5bNxNvyLiLvBGPcm3c/KKSWbD6mqoWHbKJxnFsXuvfiFa97Mb2dXVZw+ImdWkVJX Wuyef4ANrcawniZntPVSHJ8zhz/DN+vpdnILMzyV6AR5qVhayovurIEKpJq8+VJlDYxn 2wkS54QQDY3LhrWa+4LlGaeZ7F05fPUpmOAcpzNdDNrmLsX5YAUu1QPSGQ666AwLef5e cud6lKm/KKMm84VonzVah3C9BY6fhGho+P0gNPZ/7es2mfuDtz+y2N4AbIjERM3vC4Ur 4ClXmqTSIKGWSTaWXgaKNIpO64PhwJt1zEimEvZbwu0XU8HgbyT+GynEFzzAblXI4XiN R12w== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :references:in-reply-to:message-id:date:subject:cc:to:from :dkim-signature; bh=qE0w19nzWgjD4QYm4AQdg3FYaFworUoSirNem5SQWQE=; b=hYBosW/N8PjY6M4hSCeISr6rLvCE/AcvHBPlTtlK2p9W/UXIz3vaJCEZ7GajOeqWO8 YcStfru5j9O3mnC3mkvrlqDs4+5Xr8bX3UjTUsN7cDwuHd94lZMu7fIochuSCmgObt/a zj/SCTNGwY2gaHVGKQaj/W8UyLlh0caiNJx+WRDVRJcqlqjc+Ui1hKoFJ+TdlFxX7CJY inLpp33vNWKQEhDsi+IcnClwGvh+E+2cdKtL3VTTXLNSIjn2Xe6K6gDeG4WKwuW4D9OZ ZQdn6eoYKyI4LkFhlInBAeCooLOQ/TRo55TjzW/rLrGjPfKO5yH/hBszsdV92WuJZXIi pY6Q== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=YDac88OY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id f63si27585435pgc.473.2019.01.08.12.05.55; Tue, 08 Jan 2019 12:06:10 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=YDac88OY; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org; dmarc=pass (p=NONE sp=NONE dis=NONE) header.from=kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1730241AbfAHT25 (ORCPT + 99 others); Tue, 8 Jan 2019 14:28:57 -0500 Received: from mail.kernel.org ([198.145.29.99]:36096 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730168AbfAHT24 (ORCPT ); Tue, 8 Jan 2019 14:28:56 -0500 Received: from sasha-vm.mshome.net (c-73-47-72-35.hsd1.nh.comcast.net [73.47.72.35]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id C8BE32183F; Tue, 8 Jan 2019 19:28:54 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1546975735; bh=PCsSG/5zDrhI1uJVcM7dVv5Df6v1erVi93DG8g9sxhY=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=YDac88OYxB6XZsdCkRtqkWyRqWIQFKO0Dja0jxTBUPa5ZdQkByFe1BDYiUu95T8ME j9EVKoqEnM0pVeRbu825B/Xxd+rqoQVQIympPzZx0vMBCnEPmb/PMs9pcw7hqs8qlz 8vxEOZSlZ8eBX8qEDyOuYJXDsVJwnkvqXEXVLkEU= From: Sasha Levin To: linux-kernel@vger.kernel.org, stable@vger.kernel.org Cc: Taehee Yoo , Pablo Neira Ayuso , Sasha Levin , netfilter-devel@vger.kernel.org, coreteam@netfilter.org, netdev@vger.kernel.org Subject: [PATCH AUTOSEL 4.20 084/117] netfilter: ipt_CLUSTERIP: check MAC address when duplicate config is set Date: Tue, 8 Jan 2019 14:25:52 -0500 Message-Id: <20190108192628.121270-84-sashal@kernel.org> X-Mailer: git-send-email 2.19.1 In-Reply-To: <20190108192628.121270-1-sashal@kernel.org> References: <20190108192628.121270-1-sashal@kernel.org> MIME-Version: 1.0 X-Patchwork-Hint: Ignore Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org From: Taehee Yoo [ Upstream commit 06aa151ad1fc74a49b45336672515774a678d78d ] If same destination IP address config is already existing, that config is just used. MAC address also should be same. However, there is no MAC address checking routine. So that MAC address checking routine is added. test commands: %iptables -A INPUT -p tcp -i lo -d 192.168.0.5 --dport 80 \ -j CLUSTERIP --new --hashmode sourceip \ --clustermac 01:00:5e:00:00:20 --total-nodes 2 --local-node 1 %iptables -A INPUT -p tcp -i lo -d 192.168.0.5 --dport 80 \ -j CLUSTERIP --new --hashmode sourceip \ --clustermac 01:00:5e:00:00:21 --total-nodes 2 --local-node 1 After this patch, above commands are disallowed. Signed-off-by: Taehee Yoo Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- net/ipv4/netfilter/ipt_CLUSTERIP.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index 2c8d313ae216..e40e6795bd20 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c @@ -496,7 +496,8 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par) if (IS_ERR(config)) return PTR_ERR(config); } - } + } else if (memcmp(&config->clustermac, &cipinfo->clustermac, ETH_ALEN)) + return -EINVAL; ret = nf_ct_netns_get(par->net, par->family); if (ret < 0) { -- 2.19.1