Hi,
On Mon, 16 Oct 2023, U.Mutlu wrote:
> could a kind soul please check why the ipset "match-set" rule below isn't
> working.
>
> It jumps to the chain MY2 only if "--packets-gt 0" or
> "--packets-gt 1" is used, but not for any higher values! :-)
>
> I'm new to ipset, but this very much looks like a bug in iptables or ipset,
> IMHO.
>
>
> firewall.sh :
> -------------
> #...
> ipset destroy blacklist
> ipset create blacklist hash:ip hashsize 4096 timeout 300 counters
> ipset destroy bl2
> ipset create bl2 hash:ip hashsize 4096 timeout 600 counters
> #...
> iptables -N MY2
> #...
> iptables -A MY2 -j RETURN
> #...
> iptables -A INPUT -j SET --exist --add-set blacklist src
> iptables -A INPUT -m set --match-set blacklist src --packets-gt 2 -j MY2
Reverse the order of the rules above. With the first one you continuously
(re)add the elements to the set with packet number 1.
Best regards,
Jozsef
> OS is stock Debian 11 ("bullseye"):
>
> # iptables --version
> iptables v1.8.7 (nf_tables)
>
> # ipset --version
> ipset v7.10, protocol version: 7
>
> # uname -a
> Linux p21 6.1.0-0.deb11.11-amd64 #1 SMP PREEMPT_DYNAMIC Debian
> 6.1.38-4~bpo11+1 (2023-08-08) x86_64 GNU/Linux
>
> # cat /etc/os-release
> PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
> NAME="Debian GNU/Linux"
> VERSION_ID="11"
> VERSION="11 (bullseye)"
> ...
>
--
E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxx
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
H-1525 Budapest 114, POB. 49, Hungary
