Re: [iptables/ipset] Bug? -m set --match-set myset src --packets-gt 2 -j ...

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



Hi,

On Mon, 16 Oct 2023, U.Mutlu wrote:

> could a kind soul please check why the ipset "match-set" rule below isn't
> working.
> 
> It jumps to the chain MY2 only if "--packets-gt 0" or
> "--packets-gt 1" is used, but not for any higher values! :-)
> 
> I'm new to ipset, but this very much looks like a bug in iptables or ipset,
> IMHO.
> 
> 
> firewall.sh :
> -------------
> #...
> ipset destroy blacklist
> ipset create blacklist hash:ip hashsize 4096 timeout 300 counters
> ipset destroy bl2
> ipset create bl2 hash:ip hashsize 4096 timeout 600 counters
> #...
> iptables -N MY2
> #...
> iptables -A MY2 -j RETURN
> #...
> iptables -A INPUT -j SET --exist --add-set blacklist src
> iptables -A INPUT -m set --match-set blacklist src --packets-gt 2 -j MY2

Reverse the order of the rules above. With the first one you continuously 
(re)add the elements to the set with packet number 1.

Best regards,
Jozsef

> OS is stock Debian 11 ("bullseye"):
> 
> # iptables --version
> iptables v1.8.7 (nf_tables)
> 
> # ipset --version
> ipset v7.10, protocol version: 7
> 
> # uname -a
> Linux p21 6.1.0-0.deb11.11-amd64 #1 SMP PREEMPT_DYNAMIC Debian
> 6.1.38-4~bpo11+1 (2023-08-08) x86_64 GNU/Linux
> 
> # cat /etc/os-release
> PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
> NAME="Debian GNU/Linux"
> VERSION_ID="11"
> VERSION="11 (bullseye)"
> ...
> 

-- 
E-mail  : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxx
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
          H-1525 Budapest 114, POB. 49, Hungary



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux