Blame SOURCES/v1.0.0-0051-fix-ipset-further-reduce-cost-of-entry-overlap-detec.patch

87a48e
From 33b10b9112f2f51df049315438204efec7a5434c Mon Sep 17 00:00:00 2001
816caf
From: Eric Garver <eric@garver.life>
816caf
Date: Tue, 25 Jan 2022 09:29:32 -0500
87a48e
Subject: [PATCH 51/51] fix(ipset): further reduce cost of entry overlap
816caf
 detection
816caf
816caf
This makes the complexity linear by sorting the networks ahead of time.
816caf
816caf
Fixes: #881
816caf
Fixes: rhbz2043289
816caf
(cherry picked from commit 36c170db265265e838a089858be4b20dbbd582eb)
816caf
---
816caf
 src/firewall/core/ipset.py    | 59 ++++++++++++++++++++++++++++++++---
816caf
 src/tests/regression/gh881.at | 42 ++++++++++++++++++++++---
816caf
 2 files changed, 92 insertions(+), 9 deletions(-)
816caf
816caf
diff --git a/src/firewall/core/ipset.py b/src/firewall/core/ipset.py
816caf
index 66ea4335536d..b160d8345669 100644
816caf
--- a/src/firewall/core/ipset.py
816caf
+++ b/src/firewall/core/ipset.py
816caf
@@ -327,8 +327,57 @@ def check_for_overlapping_entries(entries):
816caf
         # at least one entry can not be parsed
816caf
         return
816caf
 
816caf
-    while entries:
816caf
-        entry = entries.pop()
816caf
-        for itr in entries:
816caf
-            if entry.overlaps(itr):
816caf
-                raise FirewallError(errors.INVALID_ENTRY, "Entry '{}' overlaps entry '{}'".format(entry, itr))
816caf
+    # We can take advantage of some facts of IPv4Network/IPv6Network and
816caf
+    # how Python sorts the networks to quickly detect overlaps.
816caf
+    #
816caf
+    # Facts:
816caf
+    #
816caf
+    #   1. IPv{4,6}Network are normalized to remove host bits, e.g.
816caf
+    #     10.1.1.0/16 will become 10.1.0.0/16.
816caf
+    #
816caf
+    #   2. IPv{4,6}Network objects are sorted by:
816caf
+    #     a. IP address (network bits)
816caf
+    #   then
816caf
+    #     b. netmask (significant bits count)
816caf
+    #
816caf
+    # Because of the above we have these properties:
816caf
+    #
816caf
+    #   1. big networks (netA) are sorted before smaller networks (netB)
816caf
+    #      that overlap the big network (netA)
816caf
+    #     - e.g. 10.1.128.0/17 (netA) sorts before 10.1.129.0/24 (netB)
816caf
+    #   2. same value addresses (network bits) are grouped together even
816caf
+    #      if the number of network bits vary. e.g. /16 vs /24
816caf
+    #     - recall that address are normalized to remove host bits
816caf
+    #     - e.g. 10.1.128.0/17 (netA) sorts before 10.1.128.0/24 (netC)
816caf
+    #   3. non-overlapping networks (netD, netE) are always sorted before or
816caf
+    #      after networks that overlap (netB, netC) the current one (netA)
816caf
+    #     - e.g. 10.1.128.0/17 (netA) sorts before 10.2.128.0/16 (netD)
816caf
+    #     - e.g. 10.1.128.0/17 (netA) sorts after 9.1.128.0/17 (netE)
816caf
+    #     - e.g. 9.1.128.0/17 (netE) sorts before 10.1.129.0/24 (netB)
816caf
+    #
816caf
+    # With this we know the sorted list looks like:
816caf
+    #
816caf
+    #   list: [ netE, netA, netB, netC, netD ]
816caf
+    #
816caf
+    #   netE = non-overlapping network
816caf
+    #   netA = big network
816caf
+    #   netB = smaller network that overlaps netA (subnet)
816caf
+    #   netC = smaller network that overlaps netA (subnet)
816caf
+    #   netD = non-overlapping network
816caf
+    #
816caf
+    #   If networks netB and netC exist in the list, they overlap and are
816caf
+    #   adjacent to netA.
816caf
+    #
816caf
+    # Checking for overlaps on a sorted list is thus:
816caf
+    #
816caf
+    #   1. compare adjacent elements in the list for overlaps
816caf
+    #
816caf
+    # Recall that we only need to detect a single overlap. We do not need to
816caf
+    # detect them all.
816caf
+    #
816caf
+    entries.sort()
816caf
+    prev_network = entries.pop(0)
816caf
+    for current_network in entries:
816caf
+        if prev_network.overlaps(current_network):
816caf
+            raise FirewallError(errors.INVALID_ENTRY, "Entry '{}' overlaps entry '{}'".format(prev_network, current_network))
816caf
+        prev_network = current_network
816caf
diff --git a/src/tests/regression/gh881.at b/src/tests/regression/gh881.at
816caf
index c7326805b555..a5cf7e4eb912 100644
816caf
--- a/src/tests/regression/gh881.at
816caf
+++ b/src/tests/regression/gh881.at
816caf
@@ -5,21 +5,55 @@ dnl build a large ipset
816caf
 dnl
816caf
 AT_DATA([./deny_cidr], [])
816caf
 NS_CHECK([sh -c '
816caf
-for I in $(seq 10); do
816caf
+for I in $(seq 250); do
816caf
   for J in $(seq 250); do
816caf
     echo "10.${I}.${J}.0/24" >> ./deny_cidr
816caf
   done
816caf
 done
816caf
 '])
816caf
+NS_CHECK([echo "10.254.0.0/16" >> ./deny_cidr])
816caf
 
816caf
 dnl verify non-overlapping does not error
816caf
 dnl
816caf
 FWD_CHECK([--permanent --new-ipset=deny_set --type=hash:net --option=family=inet --option=hashsize=16384 --option=maxelem=20000], 0, [ignore])
816caf
-NS_CHECK([time timeout 300 firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 0, [ignore], [ignore])
816caf
+NS_CHECK([time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 0, [ignore], [ignore])
816caf
+
816caf
+dnl still no overlap
816caf
+dnl
816caf
+AT_DATA([./deny_cidr], [
816caf
+9.0.0.0/8
816caf
+11.1.0.0/16
816caf
+])
816caf
+NS_CHECK([time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 0, [ignore], [ignore])
816caf
 
816caf
 dnl verify overlap detection actually detects an overlap
816caf
 dnl
816caf
-NS_CHECK([echo "10.1.0.0/16" >> ./deny_cidr])
816caf
-NS_CHECK([time timeout 300 firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 136, [ignore], [ignore])
816caf
+AT_DATA([./deny_cidr], [
816caf
+10.1.0.0/16
816caf
+10.2.0.0/16
816caf
+10.250.0.0/16
816caf
+])
816caf
+NS_CHECK([time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 136, [ignore], [ignore])
816caf
+
816caf
+AT_DATA([./deny_cidr], [
816caf
+10.253.0.0/16
816caf
+10.253.128.0/17
816caf
+])
816caf
+NS_CHECK([time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 136, [ignore], [ignore])
816caf
+
816caf
+AT_DATA([./deny_cidr], [
816caf
+10.1.1.1/32
816caf
+])
816caf
+NS_CHECK([time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 136, [ignore], [ignore])
816caf
+
816caf
+AT_DATA([./deny_cidr], [
816caf
+10.0.0.0/8
816caf
+10.0.0.0/25
816caf
+])
816caf
+NS_CHECK([time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 136, [ignore], [ignore])
816caf
+
816caf
+dnl empty file, no additions, but previous ones will remain
816caf
+AT_DATA([./deny_cidr], [])
816caf
+FWD_CHECK([--permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 0, [ignore], [ignore])
816caf
 
816caf
 FWD_END_TEST()
816caf
-- 
816caf
2.31.1
816caf