bugzilla-daemon at netfilter.org
2020-Nov-15 15:27 UTC
[Bug 1482] New: adjacent /31 IPs in ipset
https://bugzilla.netfilter.org/show_bug.cgi?id=1482 Bug ID: 1482 Summary: adjacent /31 IPs in ipset Product: nftables Version: unspecified Hardware: x86_64 OS: other Status: NEW Severity: normal Priority: P5 Component: kernel Assignee: pablo at netfilter.org Reporter: martin at netconfigs.com CentOS Linux release 8.2.2004 (Core) 4.18.0-193.19.1.el8_2.x86_64 configured using firewalld Apparently, a subtle bug when an ipset contains individual IPv4 addresses where two are adjacent in a /31: set larcs4 { type ipv4_addr flags interval elements = { ..., 82.152.159.40, 82.152.159.41, ... } } The membership of the ipset are used to allow access to 5071/tcp chain filter_IN_public_allow { ip saddr @larcs4 tcp dport 5071 ct state { new, untracked } accept } In this scenario, packets from the earlier IP are accepted, however, packets from the latter IP are rejected. 15:15:58.658139 IP 82.152.159.41.48327 > 51.195.193.238.5071: Flags [S], seq 3108250724, win 29200, options [mss 1460,sackOK,TS val 1250822659 ecr 0,nop,wscale 7], length 0 15:15:58.658180 IP 51.195.193.238 > 82.152.159.41: ICMP host 51.195.193.238 unreachable - admin prohibited filter, length 68 If I remove the earlier IP: nft delete element inet firewalld larcs4 { 82.152.159.40 } then packets from the latter IP are accepted. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20201115/2ae7907d/attachment.html>
bugzilla-daemon at netfilter.org
2021-Jan-22 18:30 UTC
[Bug 1482] adjacent /31 IPs in ipset
https://bugzilla.netfilter.org/show_bug.cgi?id=1482 Martin Meadows <martin at netconfigs.com> changed: What |Removed |Added ---------------------------------------------------------------------------- Resolution|--- |INVALID Status|NEW |RESOLVED --- Comment #1 from Martin Meadows <martin at netconfigs.com> --- My bad - I should have used firewall-cmd to create the ipset as type hash:ip not hash:net -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20210122/7a7bf356/attachment.html>
Reasonably Related Threads
- Minimize sshd log clutter/spam from unauthenticated connections
- rolling regression between adjacent columns
- Known bug? Two adjacent letters randomly not rendered or painted over
- parsing out adjacent text
- problems on plotting adjacent bars with barplot. Help request, please