bugzilla-daemon at netfilter.org
2013-Aug-13 00:27 UTC
[Bug 842] New: Addition of iptables rule referencing an ipset of the wrong address family does not fail
https://bugzilla.netfilter.org/show_bug.cgi?id=842
Summary: Addition of iptables rule referencing an ipset of the
wrong address family does not fail
Product: ipset
Version: unspecified
Platform: All
OS/Version: All
Status: NEW
Severity: normal
Priority: P5
Component: default
AssignedTo: netfilter-buglog at lists.netfilter.org
ReportedBy: quentin at armitage.org.uk
Estimated Hours: 0.0
I can add an iptables rule that references an ipset of the wrong address
family, which doesn't seem sensible.
For example:
ipset create foo hash:ip family inet
ip6tables -A foo_chain -m set --match-set foo -j LOG
or
ipset create foo6 hash:ip family inet6
iptables -A foo_chain -m set --match-set foo6 -j LOG
or even more bizarrely:
ipset create foo hash:ip family inet
ipset add foo 1.2.3.4
ip6tables -A foo_chain -s 2001:35:1:2:3:4:5:6 -m set --match-set foo -j LOG
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Aug-13 08:35 UTC
[Bug 842] Addition of iptables rule referencing an ipset of the wrong address family does not fail
https://bugzilla.netfilter.org/show_bug.cgi?id=842 --- Comment #1 from Quentin Armitage <quentin at armitage.org.uk> 2013-08-13 10:35:41 CEST --- There is also the following scenario, which clearly cannot achieve anything: # ipset create foo4 hash:ip family inet netmask 24 # ipset add foo4 192.0.2.0 # This step isn't necessary # ip6tables -I OUTPUT -m set ! --match-set foo4 dst -j SET --add-set foo4 dst or I suppose even more simply: # ip6tables -I OUTPUT -j SET --add-set foo4 dst -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Aug-14 13:58 UTC
[Bug 842] Addition of iptables rule referencing an ipset of the wrong address family does not fail
https://bugzilla.netfilter.org/show_bug.cgi?id=842
Jozsef Kadlecsik <kadlec at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
CC| |kadlec at netfilter.org
Resolution| |WONTFIX
--- Comment #2 from Jozsef Kadlecsik <kadlec at netfilter.org> 2013-08-14
15:58:01 CEST ---
That is so because of the "list:set" type, where the member sets can
be of any
family type and also the members can be changed anytime. In other words, one
cannot verify the INET family at all.
For the other set types the family checking could be added only by changing the
protocol. If you think this is a serious issue, please reopen the bugreport.
--
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Aug-17 19:51 UTC
[Bug 842] Addition of iptables rule referencing an ipset of the wrong address family does not fail
https://bugzilla.netfilter.org/show_bug.cgi?id=842 --- Comment #3 from Jozsef Kadlecsik <kadlec at netfilter.org> 2013-08-17 21:51:02 CEST --- I have checked the iptables source tree: for family-independent matches/targets the actual family is not passed to the match/target functions. So the functions cannot know whether iptables or ip6tables called them. The issue cannot be fixed without iptables core modifications. -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
bugzilla-daemon at netfilter.org
2013-Aug-17 20:06 UTC
[Bug 842] Addition of iptables rule referencing an ipset of the wrong address family does not fail
https://bugzilla.netfilter.org/show_bug.cgi?id=842 --- Comment #4 from Quentin Armitage <quentin at armitage.org.uk> 2013-08-17 22:06:04 CEST --- (In reply to comment #3)> I have checked the iptables source tree: for family-independent matches/targets > the actual family is not passed to the match/target functions. So the functions > cannot know whether iptables or ip6tables called them. The issue cannot be > fixed without iptables core modifications.I don't think its worth a great deal of hassle about this from a coding perspective, but it might be worth making mention of this in an appropriate man page so users are aware that some things they can do won't work. -- Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are watching all bug changes.
Apparently Analagous Threads
- [Bug 843] New: ipset swap doesn't behave as expected
- [Bug 838] New: ipset add foo syslog fails for bitmap:port
- [Bug 1139] New: The include guards on the include/libipset/linux_ip_set*.h are wrong
- [Bug 859] New: bitmap:port appears to be using 8 bytes of kernel memory per port, rather than 1 bit.
- [Bug 844] New: Can set apparently invalid netmask for hash:ip