On Sat, Apr 09, 2011 at 10:06:58PM +0200, Jozsef Kadlecsik wrote: > Hi, Hi there, > > On the current Fedora Rawhide kernel (2.6.39-0.rc2.git0.0.fc16), I am > > seeing the following two issues: > > > > 1. Attempting to create a -j SET rule with a certain invalid set of > > flags leaks a reference to the specified pool: > > > > # ipset create foo hash:ip > > # ipset list foo | grep References > > References: 0 > > # iptables -A INPUT -j SET --del-set foo src,src,src,src,src,src > > iptables: Numerical result out of range. > > # ipset list foo | grep References > > References: 1 > > # > > > > 2. --del-set doesn't seem to work (or I don't understand how it's supposed > > to work): > > > > # ipset create bar hash:ip > > # ipset add bar 127.0.0.1 > > # iptables -I INPUT -s 127.0.0.1 -p icmp -j SET --del-set bar src > > # ping -c 1 127.0.0.1 > > [...] > > # iptables -L INPUT -v | grep SET > > 2 168 SET icmp -- * * 127.0.0.1 0.0.0.0/0 del-set bar src,dst,dst,dst,dst,dst > > # ipset list bar > > [...] > > Members: > > 127.0.0.1 > > Both are real bugs indeed. I have sent the fixes to netfilter-devel and > I'll release a new ipset version at the weekend. I also fixed the set > match/target in iptables to catch properly the invalid number of dir > parameters and committed it in git. I didn't test (1), but your patch at least fixes (2) -- thanks! cheers, Lennert -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
