Hi, On Sat, 9 Apr 2011, Lennert Buytenhek wrote: > On the current Fedora Rawhide kernel (2.6.39-0.rc2.git0.0.fc16), I am > seeing the following two issues: > > 1. Attempting to create a -j SET rule with a certain invalid set of > flags leaks a reference to the specified pool: > > # ipset create foo hash:ip > # ipset list foo | grep References > References: 0 > # iptables -A INPUT -j SET --del-set foo src,src,src,src,src,src > iptables: Numerical result out of range. > # ipset list foo | grep References > References: 1 > # > > 2. --del-set doesn't seem to work (or I don't understand how it's supposed > to work): > > # ipset create bar hash:ip > # ipset add bar 127.0.0.1 > # iptables -I INPUT -s 127.0.0.1 -p icmp -j SET --del-set bar src > # ping -c 1 127.0.0.1 > [...] > # iptables -L INPUT -v | grep SET > 2 168 SET icmp -- * * 127.0.0.1 0.0.0.0/0 del-set bar src,dst,dst,dst,dst,dst > # ipset list bar > [...] > Members: > 127.0.0.1 Both are real bugs indeed. I have sent the fixes to netfilter-devel and I'll release a new ipset version at the weekend. I also fixed the set match/target in iptables to catch properly the invalid number of dir parameters and committed it in git. Thanks for the bugreport! Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
