On Thu, 4 May 2006, Andrew Kraslavsky wrote: > My question is regarding the iptables ipset match (-m set ...). What I am > seeing is that an empty ipset set of type iphash (I have not tried this with > any other ipset type) seems to yield a match on packets with an IP address > of 0.0.0.0. The packets of concern here are DHCP client requests, for which > a source IP of 0.0.0.0 is expected. > > With any rule, like the LOG target example below, that uses an empty ipset > to match against source address, I see a match but, since the ipset set is > empty, this seems odd. > > iptables -A INPUT -m set --set emptyset src -j LOG --log-prefix "What the!?" > > Is this how the match is supposed to work? Even though 0.0.0.0 may be > equivalent to "any", if the set is empty it seems like a match should _not_ > occur. Default all sets are zero-filled - thus 0.0.0.0 always matches. I think it's more a bug than a peculiar feature as it's non-intuitive. Expect a fixed ipset release in a few days. Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlec@xxxxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : KFKI Research Institute for Particle and Nuclear Physics H-1525 Budapest 114, POB. 49, Hungary
