|
|
87a48e |
From 33b10b9112f2f51df049315438204efec7a5434c Mon Sep 17 00:00:00 2001
|
|
|
816caf |
From: Eric Garver <eric@garver.life>
|
|
|
816caf |
Date: Tue, 25 Jan 2022 09:29:32 -0500
|
|
|
87a48e |
Subject: [PATCH 51/51] fix(ipset): further reduce cost of entry overlap
|
|
|
816caf |
detection
|
|
|
816caf |
|
|
|
816caf |
This makes the complexity linear by sorting the networks ahead of time.
|
|
|
816caf |
|
|
|
816caf |
Fixes: #881
|
|
|
816caf |
Fixes: rhbz2043289
|
|
|
816caf |
(cherry picked from commit 36c170db265265e838a089858be4b20dbbd582eb)
|
|
|
816caf |
---
|
|
|
816caf |
src/firewall/core/ipset.py | 59 ++++++++++++++++++++++++++++++++---
|
|
|
816caf |
src/tests/regression/gh881.at | 42 ++++++++++++++++++++++---
|
|
|
816caf |
2 files changed, 92 insertions(+), 9 deletions(-)
|
|
|
816caf |
|
|
|
816caf |
diff --git a/src/firewall/core/ipset.py b/src/firewall/core/ipset.py
|
|
|
816caf |
index 66ea4335536d..b160d8345669 100644
|
|
|
816caf |
--- a/src/firewall/core/ipset.py
|
|
|
816caf |
+++ b/src/firewall/core/ipset.py
|
|
|
816caf |
@@ -327,8 +327,57 @@ def check_for_overlapping_entries(entries):
|
|
|
816caf |
# at least one entry can not be parsed
|
|
|
816caf |
return
|
|
|
816caf |
|
|
|
816caf |
- while entries:
|
|
|
816caf |
- entry = entries.pop()
|
|
|
816caf |
- for itr in entries:
|
|
|
816caf |
- if entry.overlaps(itr):
|
|
|
816caf |
- raise FirewallError(errors.INVALID_ENTRY, "Entry '{}' overlaps entry '{}'".format(entry, itr))
|
|
|
816caf |
+ # We can take advantage of some facts of IPv4Network/IPv6Network and
|
|
|
816caf |
+ # how Python sorts the networks to quickly detect overlaps.
|
|
|
816caf |
+ #
|
|
|
816caf |
+ # Facts:
|
|
|
816caf |
+ #
|
|
|
816caf |
+ # 1. IPv{4,6}Network are normalized to remove host bits, e.g.
|
|
|
816caf |
+ # 10.1.1.0/16 will become 10.1.0.0/16.
|
|
|
816caf |
+ #
|
|
|
816caf |
+ # 2. IPv{4,6}Network objects are sorted by:
|
|
|
816caf |
+ # a. IP address (network bits)
|
|
|
816caf |
+ # then
|
|
|
816caf |
+ # b. netmask (significant bits count)
|
|
|
816caf |
+ #
|
|
|
816caf |
+ # Because of the above we have these properties:
|
|
|
816caf |
+ #
|
|
|
816caf |
+ # 1. big networks (netA) are sorted before smaller networks (netB)
|
|
|
816caf |
+ # that overlap the big network (netA)
|
|
|
816caf |
+ # - e.g. 10.1.128.0/17 (netA) sorts before 10.1.129.0/24 (netB)
|
|
|
816caf |
+ # 2. same value addresses (network bits) are grouped together even
|
|
|
816caf |
+ # if the number of network bits vary. e.g. /16 vs /24
|
|
|
816caf |
+ # - recall that address are normalized to remove host bits
|
|
|
816caf |
+ # - e.g. 10.1.128.0/17 (netA) sorts before 10.1.128.0/24 (netC)
|
|
|
816caf |
+ # 3. non-overlapping networks (netD, netE) are always sorted before or
|
|
|
816caf |
+ # after networks that overlap (netB, netC) the current one (netA)
|
|
|
816caf |
+ # - e.g. 10.1.128.0/17 (netA) sorts before 10.2.128.0/16 (netD)
|
|
|
816caf |
+ # - e.g. 10.1.128.0/17 (netA) sorts after 9.1.128.0/17 (netE)
|
|
|
816caf |
+ # - e.g. 9.1.128.0/17 (netE) sorts before 10.1.129.0/24 (netB)
|
|
|
816caf |
+ #
|
|
|
816caf |
+ # With this we know the sorted list looks like:
|
|
|
816caf |
+ #
|
|
|
816caf |
+ # list: [ netE, netA, netB, netC, netD ]
|
|
|
816caf |
+ #
|
|
|
816caf |
+ # netE = non-overlapping network
|
|
|
816caf |
+ # netA = big network
|
|
|
816caf |
+ # netB = smaller network that overlaps netA (subnet)
|
|
|
816caf |
+ # netC = smaller network that overlaps netA (subnet)
|
|
|
816caf |
+ # netD = non-overlapping network
|
|
|
816caf |
+ #
|
|
|
816caf |
+ # If networks netB and netC exist in the list, they overlap and are
|
|
|
816caf |
+ # adjacent to netA.
|
|
|
816caf |
+ #
|
|
|
816caf |
+ # Checking for overlaps on a sorted list is thus:
|
|
|
816caf |
+ #
|
|
|
816caf |
+ # 1. compare adjacent elements in the list for overlaps
|
|
|
816caf |
+ #
|
|
|
816caf |
+ # Recall that we only need to detect a single overlap. We do not need to
|
|
|
816caf |
+ # detect them all.
|
|
|
816caf |
+ #
|
|
|
816caf |
+ entries.sort()
|
|
|
816caf |
+ prev_network = entries.pop(0)
|
|
|
816caf |
+ for current_network in entries:
|
|
|
816caf |
+ if prev_network.overlaps(current_network):
|
|
|
816caf |
+ raise FirewallError(errors.INVALID_ENTRY, "Entry '{}' overlaps entry '{}'".format(prev_network, current_network))
|
|
|
816caf |
+ prev_network = current_network
|
|
|
816caf |
diff --git a/src/tests/regression/gh881.at b/src/tests/regression/gh881.at
|
|
|
816caf |
index c7326805b555..a5cf7e4eb912 100644
|
|
|
816caf |
--- a/src/tests/regression/gh881.at
|
|
|
816caf |
+++ b/src/tests/regression/gh881.at
|
|
|
816caf |
@@ -5,21 +5,55 @@ dnl build a large ipset
|
|
|
816caf |
dnl
|
|
|
816caf |
AT_DATA([./deny_cidr], [])
|
|
|
816caf |
NS_CHECK([sh -c '
|
|
|
816caf |
-for I in $(seq 10); do
|
|
|
816caf |
+for I in $(seq 250); do
|
|
|
816caf |
for J in $(seq 250); do
|
|
|
816caf |
echo "10.${I}.${J}.0/24" >> ./deny_cidr
|
|
|
816caf |
done
|
|
|
816caf |
done
|
|
|
816caf |
'])
|
|
|
816caf |
+NS_CHECK([echo "10.254.0.0/16" >> ./deny_cidr])
|
|
|
816caf |
|
|
|
816caf |
dnl verify non-overlapping does not error
|
|
|
816caf |
dnl
|
|
|
816caf |
FWD_CHECK([--permanent --new-ipset=deny_set --type=hash:net --option=family=inet --option=hashsize=16384 --option=maxelem=20000], 0, [ignore])
|
|
|
816caf |
-NS_CHECK([time timeout 300 firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 0, [ignore], [ignore])
|
|
|
816caf |
+NS_CHECK([time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 0, [ignore], [ignore])
|
|
|
816caf |
+
|
|
|
816caf |
+dnl still no overlap
|
|
|
816caf |
+dnl
|
|
|
816caf |
+AT_DATA([./deny_cidr], [
|
|
|
816caf |
+9.0.0.0/8
|
|
|
816caf |
+11.1.0.0/16
|
|
|
816caf |
+])
|
|
|
816caf |
+NS_CHECK([time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 0, [ignore], [ignore])
|
|
|
816caf |
|
|
|
816caf |
dnl verify overlap detection actually detects an overlap
|
|
|
816caf |
dnl
|
|
|
816caf |
-NS_CHECK([echo "10.1.0.0/16" >> ./deny_cidr])
|
|
|
816caf |
-NS_CHECK([time timeout 300 firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 136, [ignore], [ignore])
|
|
|
816caf |
+AT_DATA([./deny_cidr], [
|
|
|
816caf |
+10.1.0.0/16
|
|
|
816caf |
+10.2.0.0/16
|
|
|
816caf |
+10.250.0.0/16
|
|
|
816caf |
+])
|
|
|
816caf |
+NS_CHECK([time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 136, [ignore], [ignore])
|
|
|
816caf |
+
|
|
|
816caf |
+AT_DATA([./deny_cidr], [
|
|
|
816caf |
+10.253.0.0/16
|
|
|
816caf |
+10.253.128.0/17
|
|
|
816caf |
+])
|
|
|
816caf |
+NS_CHECK([time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 136, [ignore], [ignore])
|
|
|
816caf |
+
|
|
|
816caf |
+AT_DATA([./deny_cidr], [
|
|
|
816caf |
+10.1.1.1/32
|
|
|
816caf |
+])
|
|
|
816caf |
+NS_CHECK([time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 136, [ignore], [ignore])
|
|
|
816caf |
+
|
|
|
816caf |
+AT_DATA([./deny_cidr], [
|
|
|
816caf |
+10.0.0.0/8
|
|
|
816caf |
+10.0.0.0/25
|
|
|
816caf |
+])
|
|
|
816caf |
+NS_CHECK([time firewall-cmd --permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 136, [ignore], [ignore])
|
|
|
816caf |
+
|
|
|
816caf |
+dnl empty file, no additions, but previous ones will remain
|
|
|
816caf |
+AT_DATA([./deny_cidr], [])
|
|
|
816caf |
+FWD_CHECK([--permanent --ipset=deny_set --add-entries-from-file=./deny_cidr], 0, [ignore], [ignore])
|
|
|
816caf |
|
|
|
816caf |
FWD_END_TEST()
|
|
|
816caf |
--
|
|
|
816caf |
2.31.1
|
|
|
816caf |
|