On Tue, 27 Nov 2012, Ricardo Klein wrote: > So did I foud a bug? If yes, glad to help \o/ > > Well, with 6.15 it builds OK... You are trying to compile 6.16 with a kernel which lacks some definitions and I have to workaround that. > BUT, I cant use bitmap:ip,mac on iptables rules... check this: > > # CLEAR ALL IPTABLES RULES > iptables -F > > #CRIATE SET > ipset destroy SET_MACS_ADM > ipset -N SET_MACS_ADM macipmap range 10.0.0.0/16 > sleep 1 > > # POPULATE SET > ipset -A SET_MACS_ADM 10.0.34.32,00:1F:3B:xx:xx:xx > *(xx:xx:xx was intentional to hide my mac address) > > # CREATE IPTABLES RULE > iptables -A INPUT -m set --set SET_MACS_ADM src -j DROP > > it is not blocking traffic coming from that machine... Yes, because you specified one directional parameter only: bitmap:ip,mac is a two dimensional set and thus the set match/SET target require two directional parameters. You can't force bitmap:ip,mac to match only the MAC addresses. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html