thr3ads.net - netfilter buglog - [Bug 640] New: ipset-4.2 : ipset -T <some_setlist> <address> always negative [Mar 2010]

If this information is useful, please help other people find it:
Share via:

bugzilla-daemon at bugzilla.netfilter.org

2010-Mar-11 21:47 UTC

[Bug 640] New: ipset-4.2 : ipset -T <some_setlist> <address> always negative

http://bugzilla.netfilter.org/show_bug.cgi?id=640

           Summary: ipset-4.2 : ipset -T <some_setlist> <address>
always
                    negative
           Product: ipset
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P1
         Component: default
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: brendlerjg at gmail.com


I have been using ipsets for years, but am attempting to implement a setlist
for the first time, using version 4.2.

I have created a setlist, including three ipsets (all of type nethash).  I am
trying to validate that it works before incorporating into my firewall.

When I use 'ipset -T' to test whether a given address is included in one
of the
nethashes, I get a positive response (that it IS in the set).  However, when I
use ipset -T against the setlist itself, I get a negative response (that it is
NOT in the setlist).

While I realize ipset -T may not be the same as running iptables matches
against the setlist, I would expect that it probably is.

Is this my own user error, or is this broken?  For the time being, I cannot
verify that the setlist works, so I am removing it.

######### Details ##################################################

Here is one of the ipsets included in the setlist...

-------------------------------------------------
# ipset -L cn
Name: cn
Type: nethash
References: 1
Header: hashsize: 5184 probes: 4 resize: 50
Members:
175.64.0.0/11
203.88.32.0/19
203.91.32.0/19
202.38.164.0/22
180.94.96.0/20
121.52.224.0/19
....
.... (hundreds of lines)
....
111.160.0.0/13
202.14.235.0/24
113.204.0.0/14
121.32.0.0/13
114.80.0.0/12
203.171.224.0/20
221.208.0.0/12
113.132.0.0/14
113.11.192.0/19
-------------------------------------------------


So let's test an address in that set:
-------------------------------------------------
# ipset -T cn 202.14.235.87
202.14.235.87 is in set cn
-------------------------------


That's as it should be.  Now, below is the setlist (as you can see, it
includes
the ipset "cn" above):
-------------------------------------------------
# ipset -L black_setlist
Name: black_setlist
Type: setlist
References: 1
Header: size: 8
Members:
cn
ru
ng
-------------------------------------------------

Let's test the same address against the setlist...
-------------------------------------------------
# ipset -T black_setlist 202.14.235.87
202.14.235.87 is NOT in set black_setlist.

To me, it looks like the setlist is not working properly, because that address
is definitely included in one of the ipsets that comprise the setlist.


#######################
Please let me know if I have not provided enough information, and thank your
for your time.


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

bugzilla-daemon at bugzilla.netfilter.org

2010-Mar-12 13:53 UTC

head link

[Bug 640] ipset-4.2 : ipset -T <some_setlist> <address> always negative

http://bugzilla.netfilter.org/show_bug.cgi?id=640





------- Comment #1 from brendlerjg at gmail.com  2010-03-12 14:53 -------
After some additional testing, I have concluded that the setlist does indeed
work, with respect to iptables/netfilter.  It is merely testing from within
ipset that does not work.

One of two things should happen:

a) the portion of the man page that documents "setlist" should make it
known
that ipset -T can only be used to test the inclusion of ipsets within a setlist
(and cannot be used to test the inclusion of an ipset member); or

b) the ipset -T function should be extended to mirror the behavior of iptables
setlist matches (as it mirrors this behavior for the other ipset types).

Thank you for the excellent tool.


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

bugzilla-daemon at bugzilla.netfilter.org

2010-Mar-16 15:53 UTC

head link

[Bug 640] ipset-4.2 : ipset -T <some_setlist> <address> always negative

http://bugzilla.netfilter.org/show_bug.cgi?id=640


jengelh at medozas.de changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
         AssignedTo|netfilter-                  |kadlec at netfilter.org
                   |buglog at lists.netfilter.org  |




-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.
You are the assignee for the bug, or are watching the assignee.

Possibly Parallel Threads

Search for more reasonably related threads

netfilter buglog - Mar 2010 - [Bug 640] New: ipset-4.2 : ipset -T <some_setlist> <address> always negative

[Bug 640] New: ipset-4.2 : ipset -T <some_setlist> <address> always negative

[Bug 640] ipset-4.2 : ipset -T <some_setlist> <address> always negative

[Bug 640] ipset-4.2 : ipset -T <some_setlist> <address> always negative

Possibly Parallel Threads