search for: nethash

...20060508 Unfortunately I had to use ipset on a stock CentOS 4.3-kernel (which is 2.6.9-34.0.1.EL with iptables 1.2.1-somepatchlevel as of writing). So I did backport ipset carefully - and it usually seems to work fine, if you just create one hash and add/delete ips/networks to/from it. I was using nethash. But stresstesting ipset seems to crash the kernel. I had to do only 3-5 runs of the following sequence to crash it repeatedly: # only needed initially - create hash1 (nethash) # needed per each run - create hash1_tmp (nethash) - adding networks to hash1_tmp - swap hash1 and hash1_tmp - destroy h...

...onent: default AssignedTo: netfilter-buglog at lists.netfilter.org ReportedBy: brendlerjg at gmail.com I have been using ipsets for years, but am attempting to implement a setlist for the first time, using version 4.2. I have created a setlist, including three ipsets (all of type nethash). I am trying to validate that it works before incorporating into my firewall. When I use 'ipset -T' to test whether a given address is included in one of the nethashes, I get a positive response (that it IS in the set). However, when I use ipset -T against the setlist itself, I get a ne...

...untries.txt ]; then rm /tmp/countries.txt fi for country in $CountryList; do curl -o /tmp/$country.txt http://www.ipdeny.com/ipblocks/data/aggregated/$country-aggregated.zone cat /tmp/$country.txt >> /tmp/countries.txt done getnetblocks() { cat <<EOF # Generated by ipset -N geotmp nethash --hashsize 1024 --probes 4 --resize 20 EOF cat /tmp/countries.txt|egrep '^[0-9]'|egrep '/' |sed -e "s/^/-A geotmp /" } getnetblocks > /tmp/cnblock.txt sudo ipset -! -R < /tmp/cnblock.txt sudo ipset -W geotmp COUNTRIES-BLOCK sudo ipset -X geotmp rm /tmp/cnblock.txt

https://bugzilla.netfilter.org/bugzilla/show_bug.cgi?id=485 ------- Additional Comments From bugzilla.netfilter@neufeind.net 2006-06-06 02:00 MET ------- I tried to track down the problem meanwhile. It turns out that e.g. in a row of roughly 480 "ipset -A" (nethash) in a row the system once hangs at around 300 executed statements while it hangs around 370 the next time. So this does not seem to be reproducable. But I did the same tries on an otherwise identical i386-system with the same centos-libraries etc - just recompiled the ipset-libs I added/backported...

On Mon, Jan 14, 2019 at 07:29:45AM +0000, Phil Perry (pperry at elrepo.org) wrote: > On 14/01/2019 07:09, Jobst Schmalenbach wrote: > > Hi > I use ipdeny's aggregated country lists to do the same thing: > > http://www.ipdeny.com/ipblocks/data/aggregated/ > > I just feed this data directly into ipset/iptables via a script running on > my firewall (not a C6 box).

...be sure to "shorewall save" after altering the blacklist ipset(s). Example /etc/shorewall/blacklist: #ADDRESS/SUBNET PROTOCOL PORT +Blacklist[2] +Blacklistnets[2] Create the blacklist ipsets using: ipset -N Blacklist iphash ipset -N Blacklistnets nethash Add entries ipset -A Blacklist 206.124.146.177 ipset -A Blacklistnets 206.124.146.0/24 To allow entries for individual ports ipset -N SMTP portmap --from 1 --to 31 ipset -A SMTP 25 ipset -A Blacklist 206.124.146.177 ipset -B Blacklist 206.124.146...