bugzilla-daemon at netfilter.org
2023-Oct-25 09:20 UTC
[Bug 1719] New: ipset wrongly blocking undefined ranges and not blocking ranges that are defined
https://bugzilla.netfilter.org/show_bug.cgi?id=1719 Bug ID: 1719 Summary: ipset wrongly blocking undefined ranges and not blocking ranges that are defined Product: ipset Version: unspecified Hardware: All OS: RedHat Linux Status: NEW Severity: critical Priority: P5 Component: default Assignee: netfilter-buglog at lists.netfilter.org Reporter: raymi.coevan at gmail.com Created attachment 727 --> https://bugzilla.netfilter.org/attachment.cgi?id=727&action=edit ipset blacklist (1881 entries) As used version is not available in above version list: ipset v6.29, protocol version: 6. OS is CentOS (RHEL). $ ipset -L -n blacklist $ ipset -L -t Name: blacklist Type: hash:net Revision: 6 Header: family inet hashsize 1024 maxelem 65536 Size in memory: 57600 References: 1 Number of entries: 1881 $ ipset test blacklist 108.174.0.158 108.174.0.158 is in set blacklist. $ ipset test blacklist 108.174.1.10 108.174.1.10 is in set blacklist. $ ipset test blacklist 108.174.8.95 108.174.8.95 is in set blacklist. Above tested IP addresses are not defined in blacklist but however blocked. $ ipset test blacklist 108.174.8.95 108.174.8.95 is in set blacklist. Now, on the opposite: $ ipset test blacklist 203.55.21.150 203.55.21.150 is NOT in set blacklist. However, it is defined via 203.55.21.0/24 and is NOT blocked which is critical. Attached is the /etc/sysconfig/ipset blacklist. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231025/bbf5c9bf/attachment.html>
bugzilla-daemon at netfilter.org
2023-Oct-25 10:18 UTC
[Bug 1719] ipset wrongly blocking undefined ranges and not blocking ranges that are defined
https://bugzilla.netfilter.org/show_bug.cgi?id=1719 Jozsef Kadlecsik <kadlec at netfilter.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kadlec at netfilter.org --- Comment #1 from Jozsef Kadlecsik <kadlec at netfilter.org> --- ipset v6.29 was released in 2016, please upgrade. All the packages which are availabe at https://ipset.netfilter.org/ support old kernel versions as well. (But you have to compile both the kernel modules and the tool too.) -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231025/7b1b5869/attachment.html>
bugzilla-daemon at netfilter.org
2023-Oct-25 11:49 UTC
[Bug 1719] ipset wrongly blocking undefined ranges and not blocking ranges that are defined
https://bugzilla.netfilter.org/show_bug.cgi?id=1719 --- Comment #2 from Raymi <raymi.coevan at gmail.com> --- The repo I'm depending on unfortunately declares this version as the latest. I won't be authorized to compile specific sources on this production machine, but knowing that kernel version 5.10 I could find a workaround by installing the ipset-7.1-1.el7.x86_64.rpm. Before bypassing internal policies, do you confirm that version 7.1.1 solves the issue? -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231025/82c11b25/attachment.html>
bugzilla-daemon at netfilter.org
2023-Oct-25 12:50 UTC
[Bug 1719] ipset wrongly blocking undefined ranges and not blocking ranges that are defined
https://bugzilla.netfilter.org/show_bug.cgi?id=1719 --- Comment #3 from Jozsef Kadlecsik <kadlec at netfilter.org> --- You have a mistypeing in your set: add blacklist 103.24.200.0/2 is equivalent with add blacklist 64.0.0.0/2 and it explains the "ghost" matches. In my test environment loading in your set definiton, I get # ipset t blacklist 203.55.21.150 Warning: 203.55.21.150 is in set blacklist. Please verify your set content. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231025/f737c3e1/attachment.html>
bugzilla-daemon at netfilter.org
2023-Oct-28 13:50 UTC
[Bug 1719] ipset wrongly blocking undefined ranges and not blocking ranges that are defined
https://bugzilla.netfilter.org/show_bug.cgi?id=1719 Raymi <raymi.coevan at gmail.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|NEW |RESOLVED Resolution|--- |INVALID --- Comment #4 from Raymi <raymi.coevan at gmail.com> --- My apologies, you are definitely right. I have corrected this entry as well as another one that was incorrectly set. Thanks for you help and sorry again -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231028/4505b219/attachment.html>
Reasonably Related Threads
- [Bug 1285] New: ipset sorting does not work
- [Bug 1258] New: ipset save can result in add ... timeout 0 line
- [Bug 1750] New: 'ipset save' does not save in format loadable by systemd (it saves in 'ipset list' format)
- [Bug 1081] New: /tmp/ccKT2Q7s.o: In function `help': ipset.c:(.text+0x27c): undefined reference to `ipset_envopts'
- [Bug 843] New: ipset swap doesn't behave as expected