On Mon, 27 May 2013, Jimmy Thrasibule wrote: > I've got a very strange problem with ipset not matching on public IP > addresses. > > Let's have a look at my firewall configuration. > > # ip addr > 2: eth1: <BROADCAST,MULTICAST,UP,LOWER_UP> mtu 1500 qdisc mq state UP > qlen 1000 > link/ether 00:e0:xx:xx:xx:9e brd ff:ff:ff:ff:ff:ff > inet 217.x.x.122/29 brd 217.x.x.127 scope global eth1 > > # ipset list > Name: fw_iface_pub > Type: hash:net,iface > Header: family inet hashsize 64 maxelem 2 > Size in memory: 1552 > References: 3 > Members: > 217.x.x.122,eth1 > > The entry has been entered in ipset using the following statement: > > # ipset add fw_iface_pub 217.x.x.122/32,eth1 > > So from my point of view, every thing should be OK. Here is the > strangeness: > > # iptables -nvL > [...] > Chain FW_OUT (2 references) > pkts bytes target prot opt in out source destination > 297 45841 CTRLOUT icmp -- * * 0.0.0.0/0 0.0.0.0/0 > 77 9731 FW_OUT_common all -- * * 0.0.0.0/0 0.0.0.0/0 match-set fw_iface_all src,dst > 0 0 FW_OUT_pub all -- * * 0.0.0.0/0 0.0.0.0/0 match-set fw_iface_pub src,dst > 126 22031 FW_OUT_pub all -- * eth1 217.x.x.122 0.0.0.0/0 > > As you can see, no matches on the `fw_iface_pub` list while the > `fw_iface_all` one matches as well as if I'm directly specify the public > IP address. > > And do you want to know what is the stranger part? If I reboot the host, > the rule matches as expected... > > I'm running iptables v1.4.14 on Debian 7.0 and I have no idea why this > is happening. What is your ipset version? You should post iptables rules in iptables-save format... Best regards, Jozsef - E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
