Hello,
On Sat, 28 May 2016, Art Emius wrote:
> This makes me feel confused, but seems it doesn't work at all. I've
> tried both src,src and src,dst parameters. Still I see packets are being
> dropped. But I use -i / -o in iptables rules it works fine.
Sorry, I messed up the parameters.
I think your kernel does not contain the patch
commit ef5b6e127761667f78d99b7510a3876077fe9abe
Author: Florian Westphal <fw@xxxxxxxxx>
Date: Sun Jun 17 09:56:46 2012 +0000
netfilter: ipset: fix interface comparision in hash-netiface sets
ifname_compare() assumes that skb->dev is zero-padded,
e.g 'eth1\0\0\0\0\0...'. This isn't always the case. e1000 driver does
strncpy(netdev->name, pci_name(pdev), sizeof(netdev->name) - 1);
in e1000_probe(), so once device is registered dev->name memory contains
'eth1\0:0:3\0\0\0' (or something like that), which makes eth1 compare
fail.
Use plain strcmp() instead.
which went into the kernel v4.2. I assume it was not backported into older
kernel releases.
Best regards,
Jozsef
> 2016-05-25 23:58 GMT+03:00 Jozsef Kadlecsik <kadlec@xxxxxxxxxxxxxxxxx>:
> > On Wed, 25 May 2016, Art Emius wrote:
> >
> >> Recently I've encountered an issue with using ipset in my firewall.
> >>
> >> I use Debian Linux 8.4, running in virtual machine inside ESXi 5.5.
> >> My host is 192.168.1.2, remote host is 192.168.1.1.
> >> I'm running ssh server on my host and want to limit access to it using
> >> one rule with two sets of different types like this:
> >>
> >> iptables -t filter -A INPUT -m set --match-set NETS_IFACE src,src -m
> >> set --match-set SSH src,dst,dst -j ACCEPT
> >> iptables -p OUTPUT ACCEPT
> >>
> >> ipset create SSH hash:ip,port,ip hashsize 8 maxelem 8 family inet
> >> ipset add SSH 192.168.1.1,tcp:22,192.168.1.2
> >>
> >> ipset create NETS_IFACE hash:net,iface hashsize 128 maxelem 128 family inet
> >> ipset add NETS_IFACE 192.168.1.0/24,eth1
> >
> > You should use "--match-set NETS_IFACE src,dst" in the rule above if you
> > want to limit the access to the traffic from the 192.168.1.0/24 subnet
> > received on interface eth1 only.
> >
> >> It doesn't work this way. eth1 really exists and handle traffic.
> >> But If I use rule like this it works fine.
> >> iptables -t filter -A INPUT -i eth1 -m set --match-set SSH src,dst,dst -j ACCEPT
> >
> > Best regards,
> > Jozsef
> > -
> > E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx
> > PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
> > Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
> > H-1525 Budapest 114, POB. 49, Hungary
>
>
>
> --
> Art & Emius
> www.emius.ru
>
-
E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxxxxxx
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
H-1525 Budapest 114, POB. 49, Hungary
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
