Mr Dash Four <mr.dash.four@xxxxxxxxxxxxxx> wrote:
> 1. ipset bug - "ipset --help" produces multiples of hash:ip,port,net, hash:net,iface, hash:net,port & hash:net. Executing "ipset --help" gives me this:
> Supported set types:
> list:set
> hash:ip,port,net
> hash:ip,port,net
> hash:ip,port,net
> hash:ip,port,ip
> hash:ip,port
> hash:net,iface
> hash:net,iface
> hash:net,port
> hash:net,port
> hash:net,port
> hash:net
> hash:net
> hash:net
> hash:ip
> bitmap:port
> bitmap:ip,mac
> bitmap:ip
>
> 2. tc ematch bug
> tc filter add dev ifb0 protocol ip parent f:0 prio 10\
> basic match (ipset'(set1 src,src,dst)' or ipset'(set2 dst,src,src)' or ipset'(set3 src,dst)') and ipset'(set4 src,src)'\
> flowid f:38
>
> produces the following error: syntax error near unexpected token `('
Probably from your shell? Escaping the outer ( ) via \ works for me:
.. match \(ipset'(set1 src,src,dst)' or ipset'(set2 dst,src,src)' or ipset'(set3 \
src,dst)'\) and ipset'(set4 src,src)' flowid ...
$ tc filter show dev ifb0
filter parent ffff: protocol ip pref 10 basic handle 0x1 flowid f:38
(
ipset(set1 src,src,dst)
OR ipset(set2 dst,src,src)
OR ipset(set3 src,dst)
) AND ipset(set4 src,src)
> 3. Numerous tc ematch ipset bugs:
Well, i did warn you :-)
> 3.1. bitmap:port can't produce any matches
>
> ipset n b_test-port bitmap:port range 22-22 timeout 0
> ipset a b_test-port 22
>
> tc filter add dev ifb0 protocol ip parent f:0 prio 14\
> basic match ipset'(b_test-port src)'\
> flowid f:26
>
> produces no matches. This is also true when port match is present in an "and" | "or" logical expression, like ipset'(b_ssh-host src)' and ipset'(b_ssh-port src)'
True. The bug is that classifiers run with skb->data pointing to the L2 header,
but netfilter starts with skb->data pointing to L3 header.
Please, consider re-testing with this patchlet:
diff --git a/net/sched/em_ipset.c b/net/sched/em_ipset.c
index 0a153d0..13ec7b6 100644
--- a/net/sched/em_ipset.c
+++ b/net/sched/em_ipset.c
@@ -56,6 +56,7 @@ static int em_ipset_match(struct sk_buff *skb, struct tcf_ematch *em,
struct ip_set_adt_opt opt;
struct xt_action_param acpar;
const struct xt_set_info *set = (const void *) em->data;
+ int ret, network_offset;
switch (skb->protocol) {
case htons(ETH_P_IP):
@@ -84,7 +85,12 @@ static int em_ipset_match(struct sk_buff *skb, struct tcf_ematch *em,
opt.flags = set->flags;
opt.cmdflags = 0;
opt.timeout = ~0u;
- return ip_set_test(set->index, skb, &acpar, &opt);
+
+ network_offset = skb_network_offset(skb);
+ skb_pull(skb, network_offset);
+ ret = ip_set_test(set->index, skb, &acpar, &opt);
+ skb_push(skb, network_offset);
+ return ret;
}
> 3.2. hash:ip,port produces no matches:
>
> ipset n h_test-hosts hash:ip,port family inet timeout 0 hashsize 64
> ipset a h_test-hosts 10.1.1.7,tcp:22
>
> tc filter add dev ifb0 protocol ip parent f:0 prio 21\
> basic match ipset'(h_test-hosts src,src)'\
> flowid f:33
Haven't tried this, but anything trying to access
transport headers won't work due to bug above.
Thanks for testing!
Florian
--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
