The machine eth0 is having IP 192.168.100.1. When I execute only this, ipset -A foo 0.0.0.0/0, eth0 and I ping from 192.168.100.100 (external machine) to 192.168.100.1, the iptables rule is not hit. However, if I add entry in ipset as ipset -A foo 192.168.100.100, eth0 and I ping again, the iptables rule is hit. My previous version of ipset was 6.25. I did rmmod for all the ip_set* modules, verified no ip_set module is loaded (using lsmod), and did ipset 6.35 installation. And then rebooted the machine. Is there a chance that old 6.25 module is still being used? How to verify? On Sat, Feb 24, 2018 at 3:09 AM, Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> wrote: > Hi, > > On Thu, 22 Feb 2018, Akshat Kakkar wrote: > >> I created an IPSET, >> ipset -N foo hash:net,iface >> >> Then added member as >> ipset -A foo 0.0.0.0/0,eth0 >> >> However, following iptables rule is not matched when machine is pinged >> on its eth0 interface > > What do you mean by "pinged on its eth0 interface"? Do you ping the > machine from itself? > >> iptables -A INPUT -m set --match-set foo src,src -j ACCEPT >> >> But, if I add entry in ipset as >> ipset -A foo 192.168.100.100,eth0 >> >> And I ping from 192.168.100.100, the rule is hit. >> >> iptables version 1.6.1, ipset version 6.35, kernel 4.4.82 > > I can't reproduce it with ipset 6.35. > > Best regards, > Jozsef > - > E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx > PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt > Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences > H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
