Received: by 2002:a25:8b12:0:0:0:0:0 with SMTP id i18csp5222200ybl;
        Tue, 27 Aug 2019 01:03:20 -0700 (PDT)
X-Google-Smtp-Source: APXvYqyS2tDlwMAQwBl6foOOFmoc+r4lD5+dvk6VO2GclndDpgp+qZjZaDt4Xg7BkyMd1dQYQqnA
X-Received: by 2002:a17:902:3:: with SMTP id 3mr23903601pla.41.1566893000806;
        Tue, 27 Aug 2019 01:03:20 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; t=1566893000; cv=none;
        d=google.com; s=arc-20160816;
        b=rh8GKroGIO8QVGwUUZRKEPmufugk3lPcfWWU4xFG3HjYYa9y0iDksfm1j0Kx+/UKtk
         k2HQKo/Wvj91NalyIBRQ9tQfl+gmTKsj0qqUCBKsDOdN9BRXiQezqYUJIjtIZxoaBGfX
         m8NxVS9mxn+zRX3ucGL2McHcn5C/W5rdCphF8z/GoM1si5pAdzecI6qG3YlanTGk14+a
         6ai7sGfBz3FNEKXjck9UBb7/9dA6VbFqEcr2VRwRzT9MLApp7LwWDkvdibfzIytdm5L7
         kSPfj5eVyD/qLSslOnHlAMuI6LkWh2u1xcWlNDfsPLd30VBownQsA5mw3dYuyPMM06M7
         idsg==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=google.com; s=arc-20160816;
        h=list-id:precedence:sender:content-transfer-encoding:mime-version
         :user-agent:references:in-reply-to:message-id:date:subject:cc:to
         :from:dkim-signature;
        bh=ac4ZTY0e2B+zIT7HZDuvZ0I+ah5DeaZfJzquNXF/ifg=;
        b=LIjpGraEfAc0NeXrdev8jLUjmz7ZgnIk5jQ568437XBqAkriXgigmY82mTOViI05FM
         36WAUZCIsgsIm/k6MzS1IYrE4yJF5Xlj9iZ5nJ3TerbQqsixYrUx3ZLZ4ge/Nsfg2TZt
         kP23z0IyOLQsTSlutfCCcTUmG3cIGL8kT4JwrN2TA58X0w3xdcMjABydGPybW5UmDkJ1
         TDTQAEg9mhgJaMX6IlGQQ0pR15BZE3UVHfD0Vp/LnHl+qtQ/3ZZkYc8sInxdEi/rKDiY
         w8BQ8tmmxJayN5/VUhIlv3LSCBWburVeq5FMyAnVrOF5PBDpGoTSyEdFqfC3H13uf2ja
         diVA==
ARC-Authentication-Results: i=1; mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=M8UEHOwj;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Return-Path: <linux-kernel-owner@vger.kernel.org>
Received: from vger.kernel.org (vger.kernel.org. [209.132.180.67])
        by mx.google.com with ESMTP id w9si1913425pjn.67.2019.08.27.01.03.05;
        Tue, 27 Aug 2019 01:03:20 -0700 (PDT)
Received-SPF: pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) client-ip=209.132.180.67;
Authentication-Results: mx.google.com;
       dkim=pass header.i=@kernel.org header.s=default header.b=M8UEHOwj;
       spf=pass (google.com: best guess record for domain of linux-kernel-owner@vger.kernel.org designates 209.132.180.67 as permitted sender) smtp.mailfrom=linux-kernel-owner@vger.kernel.org
Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand
        id S1731829AbfH0IBq (ORCPT <rfc822;1990.zhangzhen@gmail.com>
        + 99 others); Tue, 27 Aug 2019 04:01:46 -0400
Received: from mail.kernel.org ([198.145.29.99]:58016 "EHLO mail.kernel.org"
        rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP
        id S1730543AbfH0IBi (ORCPT <rfc822;linux-kernel@vger.kernel.org>);
        Tue, 27 Aug 2019 04:01:38 -0400
Received: from localhost (83-86-89-107.cable.dynamic.v4.ziggo.nl [83.86.89.107])
        (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
        (No client certificate requested)
        by mail.kernel.org (Postfix) with ESMTPSA id 8C485217F5;
        Tue, 27 Aug 2019 08:01:37 +0000 (UTC)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/simple; d=kernel.org;
        s=default; t=1566892898;
        bh=N+EUED4CEye1GJwfGGA/084rL7SuGCiygi1EdidG1KI=;
        h=From:To:Cc:Subject:Date:In-Reply-To:References:From;
        b=M8UEHOwjiP0XVysV5GtDpej5jyNfSG+MiKnvgJOqZvZZ4hRQKstuCGOZa9ZjExuyF
         mT0SPvTt7igsl4F5TpEJx5MlgT3vd7SMLsTDSMA+myIKd1oK+YAl/6AREQfATvFWvm
         CmugdZ7II0FjYcyohCEQRKr48bMxlCjc0ikS71Go=
From:   Greg Kroah-Hartman <gregkh@linuxfoundation.org>
To:     linux-kernel@vger.kernel.org
Cc:     Greg Kroah-Hartman <gregkh@linuxfoundation.org>,
        stable@vger.kernel.org, Chen Yi <yiche@redhat.com>,
        Stefano Brivio <sbrivio@redhat.com>,
        Jozsef Kadlecsik <kadlec@netfilter.org>,
        Sasha Levin <sashal@kernel.org>
Subject: [PATCH 5.2 051/162] netfilter: ipset: Copy the right MAC address in bitmap:ip,mac and hash:ip,mac sets
Date:   Tue, 27 Aug 2019 09:49:39 +0200
Message-Id: <20190827072739.991540119@linuxfoundation.org>
X-Mailer: git-send-email 2.23.0
In-Reply-To: <20190827072738.093683223@linuxfoundation.org>
References: <20190827072738.093683223@linuxfoundation.org>
User-Agent: quilt/0.66
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Sender: linux-kernel-owner@vger.kernel.org
Precedence: bulk
List-ID: <linux-kernel.vger.kernel.org>
X-Mailing-List: linux-kernel@vger.kernel.org

[ Upstream commit 1b4a75108d5bc153daf965d334e77e8e94534f96 ]

In commit 8cc4ccf58379 ("ipset: Allow matching on destination MAC address
for mac and ipmac sets"), ipset.git commit 1543514c46a7, I added to the
KADT functions for sets matching on MAC addreses the copy of source or
destination MAC address depending on the configured match.

This was done correctly for hash:mac, but for hash:ip,mac and
bitmap:ip,mac, copying and pasting the same code block presents an
obvious problem: in these two set types, the MAC address is the second
dimension, not the first one, and we are actually selecting the MAC
address depending on whether the first dimension (IP address) specifies
source or destination.

Fix this by checking for the IPSET_DIM_TWO_SRC flag in option flags.

This way, mixing source and destination matches for the two dimensions
of ip,mac set types works as expected. With this setup:

  ip netns add A
  ip link add veth1 type veth peer name veth2 netns A
  ip addr add 192.0.2.1/24 dev veth1
  ip -net A addr add 192.0.2.2/24 dev veth2
  ip link set veth1 up
  ip -net A link set veth2 up

  dst=$(ip netns exec A cat /sys/class/net/veth2/address)

  ip netns exec A ipset create test_bitmap bitmap:ip,mac range 192.0.0.0/16
  ip netns exec A ipset add test_bitmap 192.0.2.1,${dst}
  ip netns exec A iptables -A INPUT -m set ! --match-set test_bitmap src,dst -j DROP

  ip netns exec A ipset create test_hash hash:ip,mac
  ip netns exec A ipset add test_hash 192.0.2.1,${dst}
  ip netns exec A iptables -A INPUT -m set ! --match-set test_hash src,dst -j DROP

ipset correctly matches a test packet:

  # ping -c1 192.0.2.2 >/dev/null
  # echo $?
  0

Reported-by: Chen Yi <yiche@redhat.com>
Fixes: 8cc4ccf58379 ("ipset: Allow matching on destination MAC address for mac and ipmac sets")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Sasha Levin <sashal@kernel.org>
---
 net/netfilter/ipset/ip_set_bitmap_ipmac.c | 2 +-
 net/netfilter/ipset/ip_set_hash_ipmac.c   | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/net/netfilter/ipset/ip_set_bitmap_ipmac.c b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
index b73c37b3a791f..cfe7b556775f1 100644
--- a/net/netfilter/ipset/ip_set_bitmap_ipmac.c
+++ b/net/netfilter/ipset/ip_set_bitmap_ipmac.c
@@ -227,7 +227,7 @@ bitmap_ipmac_kadt(struct ip_set *set, const struct sk_buff *skb,
 
 	e.id = ip_to_id(map, ip);
 
-	if (opt->flags & IPSET_DIM_ONE_SRC)
+	if (opt->flags & IPSET_DIM_TWO_SRC)
 		ether_addr_copy(e.ether, eth_hdr(skb)->h_source);
 	else
 		ether_addr_copy(e.ether, eth_hdr(skb)->h_dest);
diff --git a/net/netfilter/ipset/ip_set_hash_ipmac.c b/net/netfilter/ipset/ip_set_hash_ipmac.c
index eb14434083203..24d8f4df4230c 100644
--- a/net/netfilter/ipset/ip_set_hash_ipmac.c
+++ b/net/netfilter/ipset/ip_set_hash_ipmac.c
@@ -93,7 +93,7 @@ hash_ipmac4_kadt(struct ip_set *set, const struct sk_buff *skb,
 	    (skb_mac_header(skb) + ETH_HLEN) > skb->data)
 		return -EINVAL;
 
-	if (opt->flags & IPSET_DIM_ONE_SRC)
+	if (opt->flags & IPSET_DIM_TWO_SRC)
 		ether_addr_copy(e.ether, eth_hdr(skb)->h_source);
 	else
 		ether_addr_copy(e.ether, eth_hdr(skb)->h_dest);
-- 
2.20.1