Received: by 2002:ad5:474a:0:0:0:0:0 with SMTP id i10csp2395643imu; Thu, 24 Jan 2019 12:02:47 -0800 (PST) X-Google-Smtp-Source: ALg8bN71u6ELZS2PtPITjuVj2RG1519m2BkZNXt/BIJfXXRcpCAhIEM1I5nTbPUg3YVYgbWBvSUg X-Received: by 2002:a17:902:8687:: with SMTP id g7mr7837715plo.96.1548360167758; Thu, 24 Jan 2019 12:02:47 -0800 (PST) ARC-Seal: i=1; a=rsa-sha256; t=1548360167; cv=none; d=google.com; s=arc-20160816; b=ETTpVBkaYyIWqvG9o8INvgvCEYwcRrAXihsN5lfcn+BVAvzel/IscnBULj99GS2pJB Fmz3j189oBGaAgei0/G0/HL7hpBWdcHU9Y+GPWyj3II5/n8/cWXz1whf+1/5A4eLPqUg SIb2lxR+osFNUEz7Y+3J4CWqVTy8pFCueqzHaUHZ4CuEi2yKu2faVm1ZmB/JF8s0+jLO eZjo4RWz3lWQRTG5hM6H0AMd50XpeMvBxatAFF4ksdXCHOz8NZ1AeQpNK881cl/8uzfO 5AZwnh+g1J5fTj+SlkSQkV1eW0Q0FmcoVq5N/bLI9PG7FVkH8IK/Nfk5BkmsoriSynzf 9Qrg== ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816; h=list-id:precedence:sender:content-transfer-encoding:mime-version :user-agent:references:in-reply-to:message-id:date:subject:cc:to :from:dkim-signature; bh=85NHafuY1puJnGwRxNlhvSrVzakfLfe3IkazxcRKODg=; b=vQFI99NC6kzYNmGObWlEA3Ybkdp7EeWtWOLmc+5FbDYefY6QlEXqBCU8KJ31xjDfew DkpqLuCW0/harwWfSeDoMJ5gHYUEoQ/1KM+IWdOYIp7iNNq5WyDGviSP2IlshKkeW+ns j7s26XrzhTmYdTnHRbADpQ/9cgxADdRxx2QdULoOUt/sbSF11XsbN/T7h9PMbwxO7lcd DJ5PGxUwJO1/i4/kPzsugBqYVGCJSgUmGBcCiO0KEl+L2LCB1xdeKO8urODrVgmWiD5e zR2iQxLxkTaRIrgxLqLOdTUwKG5GyLA8LOM0WLvETwACBksJDVBph98ZT6MDI23Tv3EB G9Cg== ARC-Authentication-Results: i=1; mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=hSsVouLN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Return-Path: Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67]) by mx.google.com with ESMTP id d15si3403908pgt.498.2019.01.24.12.02.31; Thu, 24 Jan 2019 12:02:47 -0800 (PST) Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67; Authentication-Results: mx.google.com; dkim=pass header.i=@kernel.org header.s=default header.b=hSsVouLN; spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1732064AbfAXTdn (ORCPT + 99 others); Thu, 24 Jan 2019 14:33:43 -0500 Received: from mail.kernel.org ([198.145.29.99]:33464 "EHLO mail.kernel.org" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1730937AbfAXTdl (ORCPT ); Thu, 24 Jan 2019 14:33:41 -0500 Received: from localhost (5356596B.cm-6-7b.dynamic.ziggo.nl [83.86.89.107]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by mail.kernel.org (Postfix) with ESMTPSA id F00E921903; Thu, 24 Jan 2019 19:33:39 +0000 (UTC) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org; s=default; t=1548358420; bh=dEp4ex5zqmDhz5XjKOdq0Gtu8OSTv8YfcTVDKC9A08k=; h=From:To:Cc:Subject:Date:In-Reply-To:References:From; b=hSsVouLNaoA3p7W/BLP5kx9SJzutbUqA+MyjFVf8WXLVrzkv3Bm7MY1uJiCQwcF1c aswB8cYup4syo9N+ufTDrm/vyM36bra1KRTr3hiDwdyB7IVP+fLGoCL/POkZOyEzwh aFYL7slbcDzJFI96snfheivUb3/ZQR+Ew8czZG2Q= From: Greg Kroah-Hartman To: linux-kernel@vger.kernel.org Cc: Greg Kroah-Hartman , stable@vger.kernel.org, Taehee Yoo , Pablo Neira Ayuso , Sasha Levin Subject: [PATCH 4.14 41/63] netfilter: ipt_CLUSTERIP: check MAC address when duplicate config is set Date: Thu, 24 Jan 2019 20:20:30 +0100 Message-Id: <20190124190200.044879515@linuxfoundation.org> X-Mailer: git-send-email 2.20.1 In-Reply-To: <20190124190155.176570028@linuxfoundation.org> References: <20190124190155.176570028@linuxfoundation.org> User-Agent: quilt/0.65 X-stable: review X-Patchwork-Hint: ignore MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Sender: linux-kernel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: linux-kernel@vger.kernel.org 4.14-stable review patch. If anyone has any objections, please let me know. ------------------ [ Upstream commit 06aa151ad1fc74a49b45336672515774a678d78d ] If same destination IP address config is already existing, that config is just used. MAC address also should be same. However, there is no MAC address checking routine. So that MAC address checking routine is added. test commands: %iptables -A INPUT -p tcp -i lo -d 192.168.0.5 --dport 80 \ -j CLUSTERIP --new --hashmode sourceip \ --clustermac 01:00:5e:00:00:20 --total-nodes 2 --local-node 1 %iptables -A INPUT -p tcp -i lo -d 192.168.0.5 --dport 80 \ -j CLUSTERIP --new --hashmode sourceip \ --clustermac 01:00:5e:00:00:21 --total-nodes 2 --local-node 1 After this patch, above commands are disallowed. Signed-off-by: Taehee Yoo Signed-off-by: Pablo Neira Ayuso Signed-off-by: Sasha Levin --- net/ipv4/netfilter/ipt_CLUSTERIP.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index cc7c9d67ac19..45f21489f515 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c @@ -492,7 +492,8 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par) if (IS_ERR(config)) return PTR_ERR(config); } - } + } else if (memcmp(&config->clustermac, &cipinfo->clustermac, ETH_ALEN)) + return -EINVAL; ret = nf_ct_netns_get(par->net, par->family); if (ret < 0) { -- 2.19.1