From patchwork Mon Nov 5 09:23:25 2018 Content-Type: text/plain; charset="utf-8" MIME-Version: 1.0 Content-Transfer-Encoding: 7bit X-Patchwork-Submitter: Taehee Yoo X-Patchwork-Id: 992962 X-Patchwork-Delegate: pablo@netfilter.org Return-Path: X-Original-To: incoming@patchwork.ozlabs.org Delivered-To: patchwork-incoming@bilbo.ozlabs.org Authentication-Results: ozlabs.org; spf=none (mailfrom) smtp.mailfrom=vger.kernel.org (client-ip=209.132.180.67; helo=vger.kernel.org; envelope-from=netfilter-devel-owner@vger.kernel.org; receiver=) Authentication-Results: ozlabs.org; dmarc=pass (p=none dis=none) header.from=gmail.com Authentication-Results: ozlabs.org; dkim=pass (2048-bit key; unprotected) header.d=gmail.com header.i=@gmail.com header.b="fK9yqzby"; dkim-atps=neutral Received: from vger.kernel.org (vger.kernel.org [209.132.180.67]) by ozlabs.org (Postfix) with ESMTP id 42pS0N10V3z9sCV for ; Mon, 5 Nov 2018 20:23:32 +1100 (AEDT) Received: (majordomo@vger.kernel.org) by vger.kernel.org via listexpand id S1726706AbeKESmS (ORCPT ); Mon, 5 Nov 2018 13:42:18 -0500 Received: from mail-pl1-f194.google.com ([209.85.214.194]:34719 "EHLO mail-pl1-f194.google.com" rhost-flags-OK-OK-OK-OK) by vger.kernel.org with ESMTP id S1726086AbeKESmR (ORCPT ); Mon, 5 Nov 2018 13:42:17 -0500 Received: by mail-pl1-f194.google.com with SMTP id f12-v6so2985939plo.1 for ; Mon, 05 Nov 2018 01:23:31 -0800 (PST) DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20161025; h=from:to:cc:subject:date:message-id; bh=X8OtRaOkwWd8EslH1hwsvuwlLcT6sDyTZrOm+UxERUo=; b=fK9yqzbyd1Yjwf16ujZn7rHC4F69XfCxynKIJlWQptvRKoxfl7RrbiPjW8cvdcbFJ0 21Y68At1eubsQu6jO2QYi1qltr9qWlo+s4z1UyO54R5twa/uOhb3bxT3QwxGAY+OmVOI JygbXqVys45d+KinkWY2xA61ejBz3Tby02ueAlKUw9FM80ZNbNu+z4rzAojEOunSrhA5 JF6lYnMuohjYsu5zAPjLKfcja/IzMQRmdCmVVIR4lBUgQCpKsH9cx4kkMVl8Q83+hPny k1YezjH1tOQQ4i2DvYBk8oZ2mBGJ+IYDMKdVm2c2tG+ViqzeLkSBBn4DJ3aCq/QoMwmX 7vmA== X-Google-DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=1e100.net; s=20161025; h=x-gm-message-state:from:to:cc:subject:date:message-id; bh=X8OtRaOkwWd8EslH1hwsvuwlLcT6sDyTZrOm+UxERUo=; b=p8ueWsGYfoVdHz56Wj72/asIzChVwAngeHA4nRzMdMfCM0PwY87nISv55Y6L/DiMiK vpM6L3d/Jjx5+KCkSm57zZJo4RxpLcyZoU/7a+08LTy4Mp/sKWwit7jFaKF6Rm9GW6Cv hpYoVrhcpY/BoqXzYm4xSU27TC8xNM+gaobW3OmusTSGNOwxUYzw5hKXS+5BIt+Ld39k VCcPOhcW4G5nDhvVcsYfmInMn6jMKNQGOAI+hwdwuzW+gjNWJFXnBzpIb4Pnm3dPbvQ4 0Ybd/A1Byck5Yncjvkzg5hqkl11tsnnqeW0PgWHlzC0BSbiGukYEeqkrzr5fgTTM0Cct +6pA== X-Gm-Message-State: AGRZ1gJyuNIUJeciMSDeYCw86osAdmF1t3nBD5RDjnThvd4sSItl/P4J KaJgmY+SDGuifEVkYh1tIxs= X-Google-Smtp-Source: AJdET5fGMic1XAQojXruOHUOWcqDKnvIrP6xsW17EgOU9SYMzC7zinya3XJpsxkkOoUiQO1ohnS+HQ== X-Received: by 2002:a17:902:7b91:: with SMTP id w17-v6mr6718299pll.289.1541409811135; Mon, 05 Nov 2018 01:23:31 -0800 (PST) Received: from ap-To-be-filled-by-O-E-M.8.8.8.8 ([125.130.197.10]) by smtp.gmail.com with ESMTPSA id q128-v6sm32210809pfb.160.2018.11.05.01.23.29 (version=TLS1_2 cipher=ECDHE-RSA-AES128-GCM-SHA256 bits=128/128); Mon, 05 Nov 2018 01:23:30 -0800 (PST) From: Taehee Yoo To: pablo@netfilter.org, netfilter-devel@vger.kernel.org Cc: ap420073@gmail.com Subject: [PATCH nf v3 4/4] netfilter: ipt_CLUSTERIP: check MAC address when duplicate config is set Date: Mon, 5 Nov 2018 18:23:25 +0900 Message-Id: <20181105092325.25367-1-ap420073@gmail.com> X-Mailer: git-send-email 2.17.1 Sender: netfilter-devel-owner@vger.kernel.org Precedence: bulk List-ID: X-Mailing-List: netfilter-devel@vger.kernel.org If same destination IP address config is already existing, that config is just used. MAC address also should be same. However, there is no MAC address checking routine. So that MAC address checking routine is added. test commands: %iptables -A INPUT -p tcp -i lo -d 192.168.0.5 --dport 80 \ -j CLUSTERIP --new --hashmode sourceip \ --clustermac 01:00:5e:00:00:20 --total-nodes 2 --local-node 1 %iptables -A INPUT -p tcp -i lo -d 192.168.0.5 --dport 80 \ -j CLUSTERIP --new --hashmode sourceip \ --clustermac 01:00:5e:00:00:21 --total-nodes 2 --local-node 1 After this patch, above commands are disallowed. v3: add Fourth patch. v2: - use spin_lock_bh() instead of spin_lock() (Pablo Neira Ayuso) - add missing dev_mc_add() and dev_mc_del(). - add Third patch. v1: Initial patch Signed-off-by: Taehee Yoo --- net/ipv4/netfilter/ipt_CLUSTERIP.c | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c index 7fd399751c2e..3cd237b42f44 100644 --- a/net/ipv4/netfilter/ipt_CLUSTERIP.c +++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c @@ -509,7 +509,8 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par) if (IS_ERR(config)) return PTR_ERR(config); } - } + } else if (memcmp(&config->clustermac, &cipinfo->clustermac, ETH_ALEN)) + return -EINVAL; ret = nf_ct_netns_get(par->net, par->family); if (ret < 0) {