Good day,
My question is regarding the iptables ipset match (-m set ...). What I am
seeing is that an empty ipset set of type iphash (I have not tried this with
any other ipset type) seems to yield a match on packets with an IP address
of 0.0.0.0. The packets of concern here are DHCP client requests, for which
a source IP of 0.0.0.0 is expected.
With any rule, like the LOG target example below, that uses an empty ipset
to match against source address, I see a match but, since the ipset set is
empty, this seems odd.
iptables -A INPUT -m set --set emptyset src -j LOG --log-prefix "What the!?"
Is this how the match is supposed to work? Even though 0.0.0.0 may be
equivalent to "any", if the set is empty it seems like a match should _not_
occur.
Thanks,
- Andrew Kraslavsky
_________________________________________________________________
Don?t just search. Find. Check out the new MSN Search!
http://search.msn.click-url.com/go/onm00200636ave/direct/01/
