netfilter: ipset: Update byte and packet counters regardless of whether they match
In ip_set_match_extensions(), for sets with counters, we take care of updating counters themselves by calling ip_set_update_counter(), and of checking if the given comparison and values match, by calling ip_set_match_counter() if needed. However, if a given comparison on counters doesn't match the configured values, that doesn't mean the set entry itself isn't matching. This fix restores the behaviour we had before commit4750005a85("netfilter: ipset: Fix "don't update counters" mode when counters used at the matching"), without reintroducing the issue fixed there: back then, mtype_data_match() first updated counters in any case, and then took care of matching on counters. Now, if the IPSET_FLAG_SKIP_COUNTER_UPDATE flag is set, ip_set_update_counter() will anyway skip counter updates if desired. The issue observed is illustrated by this reproducer: ipset create c hash:ip counters ipset add c 192.0.2.1 iptables -I INPUT -m set --match-set c src --bytes-gt 800 -j DROP if we now send packets from 192.0.2.1, bytes and packets counters for the entry as shown by 'ipset list' are always zero, and, no matter how many bytes we send, the rule will never match, because counters themselves are not updated. Reported-by: Mithil Mhatre <mmhatre@redhat.com> Fixes:4750005a85("netfilter: ipset: Fix "don't update counters" mode when counters used at the matching") Signed-off-by: Stefano Brivio <sbrivio@redhat.com> Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Stefano Brivio
Pablo Neira Ayuso
parent
c0391b6ab8
commit
7d10e62c2f
|
|
@ -637,13 +637,14 @@ ip_set_match_extensions(struct ip_set *set, const struct ip_set_ext *ext,
|
||||||
if (SET_WITH_COUNTER(set)) {
|
if (SET_WITH_COUNTER(set)) {
|
||||||
struct ip_set_counter *counter = ext_counter(data, set);
|
struct ip_set_counter *counter = ext_counter(data, set);
|
||||||
|
|
||||||
|
ip_set_update_counter(counter, ext, flags);
|
||||||
|
|
||||||
if (flags & IPSET_FLAG_MATCH_COUNTERS &&
|
if (flags & IPSET_FLAG_MATCH_COUNTERS &&
|
||||||
!(ip_set_match_counter(ip_set_get_packets(counter),
|
!(ip_set_match_counter(ip_set_get_packets(counter),
|
||||||
mext->packets, mext->packets_op) &&
|
mext->packets, mext->packets_op) &&
|
||||||
ip_set_match_counter(ip_set_get_bytes(counter),
|
ip_set_match_counter(ip_set_get_bytes(counter),
|
||||||
mext->bytes, mext->bytes_op)))
|
mext->bytes, mext->bytes_op)))
|
||||||
return false;
|
return false;
|
||||||
ip_set_update_counter(counter, ext, flags);
|
|
||||||
}
|
}
|
||||||
if (SET_WITH_SKBINFO(set))
|
if (SET_WITH_SKBINFO(set))
|
||||||
ip_set_get_skbinfo(ext_skbinfo(data, set),
|
ip_set_get_skbinfo(ext_skbinfo(data, set),
|
||||||
|
|
|
||||||
Loading…
Reference in New Issue