bugzilla-daemon at netfilter.org
2023-Oct-25 09:20 UTC
[Bug 1719] New: ipset wrongly blocking undefined ranges and not blocking ranges that are defined
https://bugzilla.netfilter.org/show_bug.cgi?id=1719
Bug ID: 1719
Summary: ipset wrongly blocking undefined ranges and not
blocking ranges that are defined
Product: ipset
Version: unspecified
Hardware: All
OS: RedHat Linux
Status: NEW
Severity: critical
Priority: P5
Component: default
Assignee: netfilter-buglog at lists.netfilter.org
Reporter: raymi.coevan at gmail.com
Created attachment 727
--> https://bugzilla.netfilter.org/attachment.cgi?id=727&action=edit
ipset blacklist (1881 entries)
As used version is not available in above version list: ipset v6.29, protocol
version: 6. OS is CentOS (RHEL).
$ ipset -L -n
blacklist
$ ipset -L -t
Name: blacklist
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 57600
References: 1
Number of entries: 1881
$ ipset test blacklist 108.174.0.158
108.174.0.158 is in set blacklist.
$ ipset test blacklist 108.174.1.10
108.174.1.10 is in set blacklist.
$ ipset test blacklist 108.174.8.95
108.174.8.95 is in set blacklist.
Above tested IP addresses are not defined in blacklist but however blocked.
$ ipset test blacklist 108.174.8.95
108.174.8.95 is in set blacklist.
Now, on the opposite:
$ ipset test blacklist 203.55.21.150
203.55.21.150 is NOT in set blacklist.
However, it is defined via 203.55.21.0/24 and is NOT blocked which is critical.
Attached is the /etc/sysconfig/ipset blacklist.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231025/bbf5c9bf/attachment.html>
bugzilla-daemon at netfilter.org
2023-Oct-25 10:18 UTC
[Bug 1719] ipset wrongly blocking undefined ranges and not blocking ranges that are defined
https://bugzilla.netfilter.org/show_bug.cgi?id=1719
Jozsef Kadlecsik <kadlec at netfilter.org> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |kadlec at netfilter.org
--- Comment #1 from Jozsef Kadlecsik <kadlec at netfilter.org> ---
ipset v6.29 was released in 2016, please upgrade. All the packages which are
availabe at https://ipset.netfilter.org/ support old kernel versions as well.
(But you have to compile both the kernel modules and the tool too.)
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231025/7b1b5869/attachment.html>
bugzilla-daemon at netfilter.org
2023-Oct-25 11:49 UTC
[Bug 1719] ipset wrongly blocking undefined ranges and not blocking ranges that are defined
https://bugzilla.netfilter.org/show_bug.cgi?id=1719 --- Comment #2 from Raymi <raymi.coevan at gmail.com> --- The repo I'm depending on unfortunately declares this version as the latest. I won't be authorized to compile specific sources on this production machine, but knowing that kernel version 5.10 I could find a workaround by installing the ipset-7.1-1.el7.x86_64.rpm. Before bypassing internal policies, do you confirm that version 7.1.1 solves the issue? -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231025/82c11b25/attachment.html>
bugzilla-daemon at netfilter.org
2023-Oct-25 12:50 UTC
[Bug 1719] ipset wrongly blocking undefined ranges and not blocking ranges that are defined
https://bugzilla.netfilter.org/show_bug.cgi?id=1719 --- Comment #3 from Jozsef Kadlecsik <kadlec at netfilter.org> --- You have a mistypeing in your set: add blacklist 103.24.200.0/2 is equivalent with add blacklist 64.0.0.0/2 and it explains the "ghost" matches. In my test environment loading in your set definiton, I get # ipset t blacklist 203.55.21.150 Warning: 203.55.21.150 is in set blacklist. Please verify your set content. -- You are receiving this mail because: You are watching all bug changes. -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231025/f737c3e1/attachment.html>
bugzilla-daemon at netfilter.org
2023-Oct-28 13:50 UTC
[Bug 1719] ipset wrongly blocking undefined ranges and not blocking ranges that are defined
https://bugzilla.netfilter.org/show_bug.cgi?id=1719
Raymi <raymi.coevan at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
Status|NEW |RESOLVED
Resolution|--- |INVALID
--- Comment #4 from Raymi <raymi.coevan at gmail.com> ---
My apologies, you are definitely right.
I have corrected this entry as well as another one that was incorrectly set.
Thanks for you help and sorry again
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231028/4505b219/attachment.html>
Maybe Matching Threads
- [Bug 1285] New: ipset sorting does not work
- [Bug 1258] New: ipset save can result in add ... timeout 0 line
- [Bug 1750] New: 'ipset save' does not save in format loadable by systemd (it saves in 'ipset list' format)
- [Bug 1081] New: /tmp/ccKT2Q7s.o: In function `help': ipset.c:(.text+0x27c): undefined reference to `ipset_envopts'
- [Bug 843] New: ipset swap doesn't behave as expected