Re: ipset bug (kernel hang)

Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxx> · Thu, 29 Dec 2022 14:14:07 +0100 (CET)

Hello,

On Fri, 23 Dec 2022, Марк Коренберг wrote:

> ipset create acl_cdc_cert hash:net,port,net
> ipset add acl_cdc_cert 0.0.0.0/0,tcp:1-2,192.168.230.128/25
> 
> and kernel 6.0.12 hangs (!)
> 
> Seems the problem happens only if both 0.0.0.0/0 and port range
> specified at the same time.

Thanks for the bugreport, I'm going to submit then next patch to fix it:

diff --git a/net/netfilter/ipset/ip_set_hash_netportnet.c b/net/netfilter/ipset/ip_set_hash_netportnet.c
index 19bcdb3141f6..b3616f5e1f6a 100644
--- a/net/netfilter/ipset/ip_set_hash_netportnet.c
+++ b/net/netfilter/ipset/ip_set_hash_netportnet.c
@@ -173,6 +173,16 @@ hash_netportnet4_kadt(struct ip_set *set, const struct sk_buff *skb,
 	return adtfn(set, &e, &ext, &opt->ext, opt->cmdflags);
 }
 
+static u32
+hash_netportnet4_range_to_cidr(u32 from, u32 to, u8 *cidr)
+{
+	if (from == 0 && to == UINT_MAX) {
+		*cidr = 0;
+		return to;
+	}
+	return ip_set_range_to_cidr(from, to, cidr);
+}
+
 static int
 hash_netportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
 		      enum ipset_adt adt, u32 *lineno, u32 flags, bool retried)
@@ -287,12 +297,12 @@ hash_netportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
 	}
 	ipn = ip;
 	do {
-		ipn = ip_set_range_to_cidr(ipn, ip_to, &e.cidr[0]);
+		ipn = hash_netportnet4_range_to_cidr(ipn, ip_to, &e.cidr[0]);
 		n++;
 	} while (ipn++ < ip_to);
 	ipn = ip2_from;
 	do {
-		ipn = ip_set_range_to_cidr(ipn, ip2_to, &e.cidr[1]);
+		ipn = hash_netportnet4_range_to_cidr(ipn, ip2_to, &e.cidr[1]);
 		m++;
 	} while (ipn++ < ip2_to);
 
@@ -310,13 +320,13 @@ hash_netportnet4_uadt(struct ip_set *set, struct nlattr *tb[],
 
 	do {
 		e.ip[0] = htonl(ip);
-		ip = ip_set_range_to_cidr(ip, ip_to, &e.cidr[0]);
+		ip = hash_netportnet4_range_to_cidr(ip, ip_to, &e.cidr[0]);
 		for (; p <= port_to; p++) {
 			e.port = htons(p);
 			do {
 				e.ip[1] = htonl(ip2);
-				ip2 = ip_set_range_to_cidr(ip2, ip2_to,
-							   &e.cidr[1]);
+				ip2 = hash_netportnet4_range_to_cidr(ip2,
+							ip2_to, &e.cidr[1]);
 				ret = adtfn(set, &e, &ext, &ext, flags);
 				if (ret && !ip_set_eexist(ret, flags))
 					return ret;

Best regards,
Jozsef
-
E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxx
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
          H-1525 Budapest 114, POB. 49, Hungary



