On Thu, 7 Nov 2013, Sergey Popovich wrote: > ipset(8) for list:set says: > The match will try to find a matching entry in the sets and the > target will try to add an entry to the first set to which it can > be added. > > However real behavior is bit differ from described. Consider example: > > # ipset create test-1-v4 hash:ip family inet > # ipset create test-1-v6 hash:ip family inet6 > # ipset create test-1 list:set > # ipset add test-1 test-1-v4 > # ipset add test-1 test-1-v6 > > # iptables -A INPUT -p tcp --destination-port 25 -j SET --add-set test-1 src > # ip6tables -A INPUT -p tcp --destination-port 25 -j SET --add-set test-1 src > > And then when iptables/ip6tables rule matches packet IPSET target > tries to add src from packet to the list:set test-1 where first > entry is test-1-v4 and the second one is test-1-v6. > > For IPv4, as it first entry in test-1 src added to test-1-v4 > correctly, but for IPv6 src not added! > > Placing test-1-v6 to the first element of list:set makes behavior > correct for IPv6, but brokes for IPv4. > > This is due to result, returned from ip_set_add() and ip_set_del() from > net/netfilter/ipset/ip_set_core.c when set in list:set equires more > parameters than given or address families do not match (which is this > case). > > It seems wrong returning 0 from ip_set_add() and ip_set_del() in > this case, as 0 should be returned only when an element successfuly > added/deleted to/from the set, contrary to ip_set_test() which > returns 0 when no entry exists and >0 when entry found in set. > > Signed-off-by: Sergey Popovich <popovich_sergei@xxxxxxx> Patch is applied, thanks. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html