linux/net/netfilter/ipset
Stefano Brivio 7d10e62c2f netfilter: ipset: Update byte and packet counters regardless of whether they match
In ip_set_match_extensions(), for sets with counters, we take care of
updating counters themselves by calling ip_set_update_counter(), and of
checking if the given comparison and values match, by calling
ip_set_match_counter() if needed.

However, if a given comparison on counters doesn't match the configured
values, that doesn't mean the set entry itself isn't matching.

This fix restores the behaviour we had before commit 4750005a85
("netfilter: ipset: Fix "don't update counters" mode when counters used
at the matching"), without reintroducing the issue fixed there: back
then, mtype_data_match() first updated counters in any case, and then
took care of matching on counters.

Now, if the IPSET_FLAG_SKIP_COUNTER_UPDATE flag is set,
ip_set_update_counter() will anyway skip counter updates if desired.

The issue observed is illustrated by this reproducer:

  ipset create c hash:ip counters
  ipset add c 192.0.2.1
  iptables -I INPUT -m set --match-set c src --bytes-gt 800 -j DROP

if we now send packets from 192.0.2.1, bytes and packets counters
for the entry as shown by 'ipset list' are always zero, and, no
matter how many bytes we send, the rule will never match, because
counters themselves are not updated.

Reported-by: Mithil Mhatre <mmhatre@redhat.com>
Fixes: 4750005a85 ("netfilter: ipset: Fix "don't update counters" mode when counters used at the matching")
Signed-off-by: Stefano Brivio <sbrivio@redhat.com>
Signed-off-by: Jozsef Kadlecsik <kadlec@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
2020-10-31 11:11:11 +01:00
..
Kconfig treewide: Add SPDX license identifier - Makefile/Kconfig 2019-05-21 10:50:46 +02:00
Makefile License cleanup: add SPDX GPL-2.0 license identifier to files with no license 2017-11-02 11:10:55 +01:00
ip_set_bitmap_gen.h netfilter: ipset: use bitmap infrastructure completely 2020-01-20 17:41:45 +01:00
ip_set_bitmap_ip.c netfilter: ipset: call ip_set_free() instead of kfree() 2020-06-30 19:09:56 +02:00
ip_set_bitmap_ipmac.c netfilter: ipset: call ip_set_free() instead of kfree() 2020-06-30 19:09:56 +02:00
ip_set_bitmap_port.c netfilter: ipset: call ip_set_free() instead of kfree() 2020-06-30 19:09:56 +02:00
ip_set_core.c netfilter: ipset: Update byte and packet counters regardless of whether they match 2020-10-31 11:11:11 +01:00
ip_set_getport.c netfilter: ipset: move ip_set_get_ip_port() to ip_set_bitmap_port.c. 2019-10-07 23:59:02 +02:00
ip_set_hash_gen.h netfilter: ipset: call ip_set_free() instead of kfree() 2020-06-30 19:09:56 +02:00
ip_set_hash_ip.c netfilter: ipset: remove inline from static functions in .c files. 2019-10-07 23:57:45 +02:00
ip_set_hash_ipmac.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2019-11-09 11:04:37 -08:00
ip_set_hash_ipmark.c netfilter: ipset: remove inline from static functions in .c files. 2019-10-07 23:57:45 +02:00
ip_set_hash_ipport.c netfilter: ipset: remove inline from static functions in .c files. 2019-10-07 23:57:45 +02:00
ip_set_hash_ipportip.c netfilter: ipset: remove inline from static functions in .c files. 2019-10-07 23:57:45 +02:00
ip_set_hash_ipportnet.c netfilter: ipset: remove inline from static functions in .c files. 2019-10-07 23:57:45 +02:00
ip_set_hash_mac.c netfilter: ipset: remove inline from static functions in .c files. 2019-10-07 23:57:45 +02:00
ip_set_hash_net.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2019-11-09 11:04:37 -08:00
ip_set_hash_netiface.c netfilter: ipset: Add wildcard support to net,iface 2019-11-04 20:44:17 +01:00
ip_set_hash_netnet.c Merge git://git.kernel.org/pub/scm/linux/kernel/git/netdev/net 2019-11-09 11:04:37 -08:00
ip_set_hash_netport.c netfilter: ipset: remove inline from static functions in .c files. 2019-10-07 23:57:45 +02:00
ip_set_hash_netportnet.c netfilter: ipset: remove inline from static functions in .c files. 2019-10-07 23:57:45 +02:00
ip_set_list_set.c netfilter: ipset: Fix subcounter update skip 2020-05-25 20:39:14 +02:00
pfxlen.c treewide: Add SPDX license identifier for missed files 2019-05-21 10:50:45 +02:00