bugzilla-daemon at bugzilla.netfilter.org
2011-Jul-24 22:04 UTC
[Bug 729] New: iptables + ipset rules apply but nothing go to the chain
http://bugzilla.netfilter.org/show_bug.cgi?id=729
Summary: iptables + ipset rules apply but nothing go to the chain
Product: iptables
Version: unspecified
Platform: x86_64
OS/Version: Debian GNU/Linux
Status: NEW
Severity: critical
Priority: P2
Component: iptables
AssignedTo: netfilter-buglog at lists.netfilter.org
ReportedBy: onorua at gmail.com
Estimated Hours: 0.0
What I have:
~ # iptables -V
iptables v1.4.12
~ # ipset -V
ipset v6.8, protocol version: 6
~ # uname -r
2.6.39.3-bg
eth1 Link encap:Ethernet HWaddr 00:26:82:03:7c:3e
inet addr:193.43.210.32 Bcast:193.43.210.255 Mask:255.255.255.0
~ # ipset -L iUser
Name: iUser
Type: bitmap:ip,mac
Header: range 193.43.210.10-193.43.210.215
Size in memory: 3408
References: 3
Members:
193.43.210.32,00:26:82:03:7C:3E
What I do:
~ # iptables -p icmp -A INPUT -m set --match-set iUser src -j DROP
Then run ping from the host, and what I get:
~ # iptables -nvL INPUT
Chain INPUT (policy ACCEPT 356 packets, 41541 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
match-set iUser src
Seems to me, that ipset with iptables stopped to work at all. There is nothing
related to this issue in log files. Please let me know what other info would be
useful and I'll provide you with.
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.
bugzilla-daemon at bugzilla.netfilter.org
2011-Jul-25 09:07 UTC
[Bug 729] iptables + ipset rules apply but nothing go to the chain
http://bugzilla.netfilter.org/show_bug.cgi?id=729
onorua <onorua at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |onorua at gmail.com
Component|iptables |ip_tables (kernel)
Product|iptables |netfilter/iptables
Version|unspecified |linux-2.6.x
--- Comment #1 from onorua <onorua at gmail.com> 2011-07-25 11:07:25 ---
Forgot to mention, if I do following:
iptables -A INPUT -s 193.43.210.32 -p icmp -j DROP
and then start pinging of the host, counter is increasing:
~ # iptables -nvL INPUT
Chain INPUT (policy ACCEPT 114 packets, 7790 bytes)
pkts bytes target prot opt in out source destination
0 0 DROP icmp -- * * 0.0.0.0/0 0.0.0.0/0
match-set iUser src
17 1428 DROP icmp -- * * 193.43.210.32 0.0.0.0/0
That means that iptables functionality is working fine, except iptables+ipset
bunch.
P.S. I think component choice was wrong, so changing it to netfilter/iptables
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.
bugzilla-daemon at bugzilla.netfilter.org
2011-Jul-25 09:57 UTC
[Bug 729] iptables + ipset rules apply but nothing go to the chain
http://bugzilla.netfilter.org/show_bug.cgi?id=729 --- Comment #2 from onorua <onorua at gmail.com> 2011-07-25 11:57:33 --- I've tried to check functionality on kernel 3.0.0, result is the same. -- Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are the assignee for the bug. You are watching all bug changes.
bugzilla-daemon at bugzilla.netfilter.org
2011-Jul-25 10:29 UTC
[Bug 729] iptables + ipset rules apply but nothing go to the chain
http://bugzilla.netfilter.org/show_bug.cgi?id=729
onorua <onorua at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution| |INVALID
--- Comment #3 from onorua <onorua at gmail.com> 2011-07-25 12:29:49 ---
The problem is with ipset, it requires two parameters such as
src,src:
Here is information from man pages:
The bitmap:ip,mac type of sets require two src/dst parameters of the set
match and SET target netfilter kernel modules and the second one must be
src to match, add or delete entries because the set match and SET target
have access to the source MAC address only.
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.
bugzilla-daemon at bugzilla.netfilter.org
2011-Jul-25 18:54 UTC
[Bug 729] iptables + ipset rules apply but nothing go to the chain
http://bugzilla.netfilter.org/show_bug.cgi?id=729
Jozsef Kadlecsik <kadlec at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |kadlec at netfilter.org
--- Comment #4 from Jozsef Kadlecsik <kadlec at netfilter.org> 2011-07-25
20:54:54 ---
ipset before 6.x silently accepted a single src for the macipmap type, but that
is not so anymore. With ipset 6.x two direction parameters are required for
bitmap:ip,mac type of sets.
If insufficient direction parameters are specified for any set type, the set
match returns *nomatch* and the SET target does nothing.
Best regards,
Jozsef
--
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug.
You are watching all bug changes.
Possibly Parallel Threads
- [Bug 1750] New: 'ipset save' does not save in format loadable by systemd (it saves in 'ipset list' format)
- [Bug 880] New: ipset doesn't refresh the timeout for an existing entry when the table is FULL.
- [Bug 719] New: ipset restore fails randomly
- [Bug 1719] New: ipset wrongly blocking undefined ranges and not blocking ranges that are defined
- [Bug 838] New: ipset add foo syslog fails for bitmap:port