aboutsummaryrefslogtreecommitdiff
diff options
context:
space:
mode:
authorTaehee Yoo <ap420073@gmail.com>2018-11-05 18:23:25 +0900
committerGreg Kroah-Hartman <gregkh@linuxfoundation.org>2019-01-26 09:37:05 +0100
commite6b1503c4d6fe1b45b12fe0fbe5ba125bcc22757 (patch)
treed4c1ec9f2b5a043409fa42cf6eee09c5a9a6f048
parent05f94c60f3cbf7355f7092fe74e52c0f0bb4f48a (diff)
download96b-common-e6b1503c4d6fe1b45b12fe0fbe5ba125bcc22757.tar.gz
netfilter: ipt_CLUSTERIP: check MAC address when duplicate config is set
[ Upstream commit 06aa151ad1fc74a49b45336672515774a678d78d ] If same destination IP address config is already existing, that config is just used. MAC address also should be same. However, there is no MAC address checking routine. So that MAC address checking routine is added. test commands: %iptables -A INPUT -p tcp -i lo -d 192.168.0.5 --dport 80 \ -j CLUSTERIP --new --hashmode sourceip \ --clustermac 01:00:5e:00:00:20 --total-nodes 2 --local-node 1 %iptables -A INPUT -p tcp -i lo -d 192.168.0.5 --dport 80 \ -j CLUSTERIP --new --hashmode sourceip \ --clustermac 01:00:5e:00:00:21 --total-nodes 2 --local-node 1 After this patch, above commands are disallowed. Signed-off-by: Taehee Yoo <ap420073@gmail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org> Signed-off-by: Sasha Levin <sashal@kernel.org>
-rw-r--r--net/ipv4/netfilter/ipt_CLUSTERIP.c3
1 files changed, 2 insertions, 1 deletions
diff --git a/net/ipv4/netfilter/ipt_CLUSTERIP.c b/net/ipv4/netfilter/ipt_CLUSTERIP.c
index cc7c9d67ac19..45f21489f515 100644
--- a/net/ipv4/netfilter/ipt_CLUSTERIP.c
+++ b/net/ipv4/netfilter/ipt_CLUSTERIP.c
@@ -492,7 +492,8 @@ static int clusterip_tg_check(const struct xt_tgchk_param *par)
if (IS_ERR(config))
return PTR_ERR(config);
}
- }
+ } else if (memcmp(&config->clustermac, &cipinfo->clustermac, ETH_ALEN))
+ return -EINVAL;
ret = nf_ct_netns_get(par->net, par->family);
if (ret < 0) {