Hi,
This patchset adds the missing code to reject overlapping intervals.
# nft add table ip filter
# nft add set ip filter myset { type ipv4_addr\; flags interval\; }
# nft add chain ip filter output { type filter hook output priority 0\; }
# nft add rule ip daddr @myset counter packets 0 bytes 0
# nft add element ip filter myset { 127.0.0.0/16 }
Then, if you add an overlapping element:
# nft add element ip filter myset { 127.0.0.0/24 }
<cmdline>:1:31-42: Error: interval overlaps with an existing one
add element ip filter myset { 127.0.0.0/24 }
^^^^^^^^^^^^
The new validation code from userspace rejects this to avoid shadowing
issues.
Pablo Neira Ayuso (4):
segtree: set expr->len for prefix expression from interval_map_decompose()
segtree: add expr_to_intervals()
segtree: rename set expression set_to_segtree()
segtree: add interval overlap detection for dynamic updates
src/segtree.c | 92 +++++++++++++++++++++++++++++++++++++++++++++++++++--------
1 file changed, 80 insertions(+), 12 deletions(-)
--
2.1.4
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to [email protected]
More majordomo info at http://vger.kernel.org/majordomo-info.html
