bugzilla-daemon at netfilter.org
2016-Dec-09 09:20 UTC
[Bug 1101] New: SET target unreliable in iptables - add does not work as expected
bugzilla.netfilter.org/show_bug.cgi?id=1101 Bug ID: 1101 Summary: SET target unreliable in iptables - add does not work as expected Product: netfilter/iptables Version: unspecified Hardware: x86_64 OS: Debian GNU/Linux Status: NEW Severity: major Priority: P5 Component: ip_tables (kernel) Assignee: netfilter-buglog at lists.netfilter.org Reporter: koetter at luis.uni-hannover.de Created attachment 486 --> bugzilla.netfilter.org/attachment.cgi?id=486&action=edit iptables -nvL special-unused:filter I'm with debian Jessie, Linux <> 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u2 (2016-10-19) x86_64 GNU/Linux iptables v1.4.21 ipset v6.23, protocol version: 6 I use the ipset SET target to create dynamic lists of addresses to block. The problem: the SET target fails with ~50% of the cases to add an address properly. A subsequent match on the ipset fails - the address is not added to the set. To provide an example, I modified my rules to add & match subsequently - one would expect the counters to match, but they do not. It is possible to verify an address is not added to the set using ipset userspace as well. The ipset has about 20k entries, adding via ipset cli always works as expected. The machine I'm working does quite some traffic - so it may be a race condition and hard to reproduce. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <lists.netfilter.org/pipermail/netfilter-buglog/attachments/20161209/25862658/attachment.html>
bugzilla-daemon at netfilter.org
2016-Dec-10 15:16 UTC
[Bug 1101] SET target unreliable in iptables - add does not work as expected
bugzilla.netfilter.org/show_bug.cgi?id=1101 Jozsef Kadlecsik <kadlec at netfilter.org> changed: What |Removed |Added ---------------------------------------------------------------------------- CC| |kadlec at netfilter.org Status|NEW |ASSIGNED --- Comment #1 from Jozsef Kadlecsik <kadlec at netfilter.org> --- What parameter did you use at creating the set in question? I.e. what are the hash size and maxelem parameters of the set? -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <lists.netfilter.org/pipermail/netfilter-buglog/attachments/20161210/668a3a81/attachment.html>
bugzilla-daemon at netfilter.org
2016-Dec-12 06:51 UTC
[Bug 1101] SET target unreliable in iptables - add does not work as expected
bugzilla.netfilter.org/show_bug.cgi?id=1101 --- Comment #2 from Markus K�tter <koetter at luis.uni-hannover.de> --- I do not see any parameters getting passed to "ipset create" when creating. According to "ipset save" "create blocked:host:dynamisch:net hash:net family inet hashsize 2048 maxelem 65536 timeout 0" is used. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <lists.netfilter.org/pipermail/netfilter-buglog/attachments/20161212/c0a3169a/attachment.html>
bugzilla-daemon at netfilter.org
2016-Dec-12 07:00 UTC
[Bug 1101] SET target unreliable in iptables - add does not work as expected
bugzilla.netfilter.org/show_bug.cgi?id=1101 --- Comment #3 from Markus K�tter <koetter at luis.uni-hannover.de> --- Created attachment 487 --> bugzilla.netfilter.org/attachment.cgi?id=487&action=edit Rule hitcunters after some runtime. The rules had some runtime, seems like the numbers get worse over time: 18636 / 193k ~ 9% 7843K / 19M ~40% 0 / 50128 ~ 0% 338 / 758k ~ 0.0004% 0 / 14585 ~ 0% 15 / 168k ~ 0.00008% -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <lists.netfilter.org/pipermail/netfilter-buglog/attachments/20161212/538d7389/attachment.html>
bugzilla-daemon at netfilter.org
2016-Dec-17 13:46 UTC
[Bug 1101] SET target unreliable in iptables - add does not work as expected
bugzilla.netfilter.org/show_bug.cgi?id=1101 Jozsef Kadlecsik <kadlec at netfilter.org> changed: What |Removed |Added ---------------------------------------------------------------------------- Status|ASSIGNED |RESOLVED Resolution|--- |INVALID --- Comment #4 from Jozsef Kadlecsik <kadlec at netfilter.org> --- This is the expected behaviour and documented in the manpage: "In order to avoid clashes in the hash, a limited number of chaining, and if that is exhausted, the doubling of the hash size is performed when adding entries by the ipset command. When entries added by the SET target of iptables/ip6tables, then the hash size is fixed and the set won't be duplicated, even if the new entry cannot be added to the set." You have to create the set with a proper hashsize parameter if the elements are added by the SET target. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <lists.netfilter.org/pipermail/netfilter-buglog/attachments/20161217/3f8415d5/attachment.html>
Apparently Analagous Threads
- [Bug 733] New: ipset restore won't restore from output of ipset save
- [Bug 840] New: Specifying CIDR when adding to a hash:ip entry is silently ignored
- [Bug 1212] New: excessive memory usage with kernel 4.14
- [Bug 1209] New: Replace 'netstat' with 'ss'
- [Bug 1750] New: 'ipset save' does not save in format loadable by systemd (it saves in 'ipset list' format)