bugzilla-daemon at bugzilla.netfilter.org
2011-Jul-24 22:04 UTC
[Bug 729] New: iptables + ipset rules apply but nothing go to the chain
http://bugzilla.netfilter.org/show_bug.cgi?id=729 Summary: iptables + ipset rules apply but nothing go to the chain Product: iptables Version: unspecified Platform: x86_64 OS/Version: Debian GNU/Linux Status: NEW Severity: critical Priority: P2 Component: iptables AssignedTo: netfilter-buglog at lists.netfilter.org ReportedBy: onorua at gmail.com Estimated Hours: 0.0 What I have: ~ # iptables -V iptables v1.4.12 ~ # ipset -V ipset v6.8, protocol version: 6 ~ # uname -r 2.6.39.3-bg eth1 Link encap:Ethernet HWaddr 00:26:82:03:7c:3e inet addr:193.43.210.32 Bcast:193.43.210.255 Mask:255.255.255.0 ~ # ipset -L iUser Name: iUser Type: bitmap:ip,mac Header: range 193.43.210.10-193.43.210.215 Size in memory: 3408 References: 3 Members: 193.43.210.32,00:26:82:03:7C:3E What I do: ~ # iptables -p icmp -A INPUT -m set --match-set iUser src -j DROP Then run ping from the host, and what I get: ~ # iptables -nvL INPUT Chain INPUT (policy ACCEPT 356 packets, 41541 bytes) pkts bytes target prot opt in out source destination 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 match-set iUser src Seems to me, that ipset with iptables stopped to work at all. There is nothing related to this issue in log files. Please let me know what other info would be useful and I'll provide you with. -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are watching all bug changes.
bugzilla-daemon at bugzilla.netfilter.org
2011-Jul-25 09:07 UTC
[Bug 729] iptables + ipset rules apply but nothing go to the chain
http://bugzilla.netfilter.org/show_bug.cgi?id=729 onorua <onorua at gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |onorua at gmail.com Component|iptables |ip_tables (kernel) Product|iptables |netfilter/iptables Version|unspecified |linux-2.6.x --- Comment #1 from onorua <onorua at gmail.com> 2011-07-25 11:07:25 --- Forgot to mention, if I do following: iptables -A INPUT -s 193.43.210.32 -p icmp -j DROP and then start pinging of the host, counter is increasing: ~ # iptables -nvL INPUT Chain INPUT (policy ACCEPT 114 packets, 7790 bytes) pkts bytes target prot opt in out source destination 0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0 match-set iUser src 17 1428 DROP icmp -- * * 193.43.210.32 0.0.0.0/0 That means that iptables functionality is working fine, except iptables+ipset bunch. P.S. I think component choice was wrong, so changing it to netfilter/iptables -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are watching all bug changes.
bugzilla-daemon at bugzilla.netfilter.org
2011-Jul-25 09:57 UTC
[Bug 729] iptables + ipset rules apply but nothing go to the chain
http://bugzilla.netfilter.org/show_bug.cgi?id=729 --- Comment #2 from onorua <onorua at gmail.com> 2011-07-25 11:57:33 --- I've tried to check functionality on kernel 3.0.0, result is the same. -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are watching all bug changes.
bugzilla-daemon at bugzilla.netfilter.org
2011-Jul-25 10:29 UTC
[Bug 729] iptables + ipset rules apply but nothing go to the chain
http://bugzilla.netfilter.org/show_bug.cgi?id=729 onorua <onorua at gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution| |INVALID --- Comment #3 from onorua <onorua at gmail.com> 2011-07-25 12:29:49 --- The problem is with ipset, it requires two parameters such as src,src: Here is information from man pages: The bitmap:ip,mac type of sets require two src/dst parameters of the set match and SET target netfilter kernel modules and the second one must be src to match, add or delete entries because the set match and SET target have access to the source MAC address only. -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are watching all bug changes.
bugzilla-daemon at bugzilla.netfilter.org
2011-Jul-25 18:54 UTC
[Bug 729] iptables + ipset rules apply but nothing go to the chain
http://bugzilla.netfilter.org/show_bug.cgi?id=729 Jozsef Kadlecsik <kadlec at netfilter.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kadlec at netfilter.org --- Comment #4 from Jozsef Kadlecsik <kadlec at netfilter.org> 2011-07-25 20:54:54 --- ipset before 6.x silently accepted a single src for the macipmap type, but that is not so anymore. With ipset 6.x two direction parameters are required for bitmap:ip,mac type of sets. If insufficient direction parameters are specified for any set type, the set match returns *nomatch* and the SET target does nothing. Best regards, Jozsef -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are watching all bug changes.
Maybe Matching Threads
- [Bug 1750] New: 'ipset save' does not save in format loadable by systemd (it saves in 'ipset list' format)
- [Bug 880] New: ipset doesn't refresh the timeout for an existing entry when the table is FULL.
- [Bug 719] New: ipset restore fails randomly
- [Bug 1719] New: ipset wrongly blocking undefined ranges and not blocking ranges that are defined
- [Bug 838] New: ipset add foo syslog fails for bitmap:port