Hi Pablo,
On Sat, 31 Oct 2020, Pablo Neira Ayuso wrote:
> On Thu, Oct 29, 2020 at 04:39:46PM +0100, Jozsef Kadlecsik wrote:
> > From: Stefano Brivio <sbrivio@xxxxxxxxxx>
> >
> > In ip_set_match_extensions(), for sets with counters, we take care of
> > updating counters themselves by calling ip_set_update_counter(), and of
> > checking if the given comparison and values match, by calling
> > ip_set_match_counter() if needed.
> >
> > However, if a given comparison on counters doesn't match the configured
> > values, that doesn't mean the set entry itself isn't matching.
> >
> > This fix restores the behaviour we had before commit 4750005a85f7
> > ("netfilter: ipset: Fix "don't update counters" mode when counters used
> > at the matching"), without reintroducing the issue fixed there: back
> > then, mtype_data_match() first updated counters in any case, and then
> > took care of matching on counters.
> >
> > Now, if the IPSET_FLAG_SKIP_COUNTER_UPDATE flag is set,
> > ip_set_update_counter() will anyway skip counter updates if desired.
> >
> > The issue observed is illustrated by this reproducer:
> >
> > ipset create c hash:ip counters
> > ipset add c 192.0.2.1
> > iptables -I INPUT -m set --match-set c src --bytes-gt 800 -j DROP
> >
> > if we now send packets from 192.0.2.1, bytes and packets counters
> > for the entry as shown by 'ipset list' are always zero, and, no
> > matter how many bytes we send, the rule will never match, because
> > counters themselves are not updated.
>
> If possible, let me split this batch.
>
> I'll apply this fix (1/4) to nf.git instead, so this shows up in
> 5.10 swiftly.
>
> My understanding is that 2/4, 3/4 and 4/4 have no dependency on this
> one, so I'll apply these three remaining patches in the batch to
> nf-next.git
Yes, it's better that way. Thanks!
Best regards,
Jozsef
-
E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxx
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
H-1525 Budapest 114, POB. 49, Hungary
