On Mon, 23 Jul 2007, Łukasz Nierychło wrote:
In my opninion ipset iptree still does not work as it should be.
My test:
[]# ipset -N viruses iptree --timeout 100
[]# ipset -A viruses 172.16.14.12
Test1:
[]# ipset -T viruses 172.16.14.12
172.16.14.12 is in set viruses
Test2:
[]# ipset -T viruses 172.16.14.111
172.16.14.111 is in set viruses
Test3:
[]# ipset -T viruses 172.16.140.111
172.16.140.111 is NOT in set viruses
...
Test2 172.16.14.111 shoud NOT be in set viruses, every IP from example
subnet
172.16.14.0/24
is reported as "in set", (look at test2).
Everything is ok after IPTRE_GC_TIME 5*60 (line 33 in ip_set_iptree.c)
When I changed this label to 60 this module iptree worked ok after 60s.
To test again you have to unload ipset module. Something is wrong few
minutes
after module is loaded...
That looks like a real bug. Which kernel and pom-ng version are you
using?
My kernel: 2.6.22.1 PREEMPT i686 pentium4
Patch: 130-netfilter-ipset.patch
from this page
https://dev.openwrt.org/browser/trunk/target/linux/generic-2.6/patches-2.6.22/
This kernel was not pathed by any other patch than
130-netfilter-ipset.patch
140-netfilter_time.patch
150-netfilter_imq.patch
[]# ipset -V
ipset v2.2.9a Protocol version 2
The same was when I reported this
https://lists.netfilter.org/pipermail/netfilter/2007-May/068730.html
on earlier version of kernel ( + pom-ng )
Łukasz Nierychło
