So I can use bitmap:ip,mac to set a lot of mac address entryes with fake IPs and use iptables rules only matching the MAC from the set? So, I can workaround the lack of a mac only set and use this for now? Nice... How should be my iptable rule to match only the mac address from the set? -- Att... Ricardo Felipe Klein klein.rfk@xxxxxxxxx On Tue, Nov 27, 2012 at 12:03 PM, Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx> wrote: > On Tue, 27 Nov 2012, Ricardo Klein wrote: > >> So did I foud a bug? If yes, glad to help \o/ >> >> Well, with 6.15 it builds OK... > > You are trying to compile 6.16 with a kernel which lacks some > definitions and I have to workaround that. > >> BUT, I cant use bitmap:ip,mac on iptables rules... check this: >> >> # CLEAR ALL IPTABLES RULES >> iptables -F >> >> #CRIATE SET >> ipset destroy SET_MACS_ADM >> ipset -N SET_MACS_ADM macipmap range 10.0.0.0/16 >> sleep 1 >> >> # POPULATE SET >> ipset -A SET_MACS_ADM 10.0.34.32,00:1F:3B:xx:xx:xx >> *(xx:xx:xx was intentional to hide my mac address) >> >> # CREATE IPTABLES RULE >> iptables -A INPUT -m set --set SET_MACS_ADM src -j DROP >> >> it is not blocking traffic coming from that machine... > > Yes, because you specified one directional parameter only: bitmap:ip,mac > is a two dimensional set and thus the set match/SET target require two > directional parameters. > > You can't force bitmap:ip,mac to match only the MAC addresses. > > Best regards, > Jozsef > - > E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx > PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt > Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences > H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
