Hi, On Mon, 16 Oct 2023, U.Mutlu wrote: > could a kind soul please check why the ipset "match-set" rule below isn't > working. > > It jumps to the chain MY2 only if "--packets-gt 0" or > "--packets-gt 1" is used, but not for any higher values! :-) > > I'm new to ipset, but this very much looks like a bug in iptables or ipset, > IMHO. > > > firewall.sh : > ------------- > #... > ipset destroy blacklist > ipset create blacklist hash:ip hashsize 4096 timeout 300 counters > ipset destroy bl2 > ipset create bl2 hash:ip hashsize 4096 timeout 600 counters > #... > iptables -N MY2 > #... > iptables -A MY2 -j RETURN > #... > iptables -A INPUT -j SET --exist --add-set blacklist src > iptables -A INPUT -m set --match-set blacklist src --packets-gt 2 -j MY2 Reverse the order of the rules above. With the first one you continuously (re)add the elements to the set with packet number 1. Best regards, Jozsef > OS is stock Debian 11 ("bullseye"): > > # iptables --version > iptables v1.8.7 (nf_tables) > > # ipset --version > ipset v7.10, protocol version: 7 > > # uname -a > Linux p21 6.1.0-0.deb11.11-amd64 #1 SMP PREEMPT_DYNAMIC Debian > 6.1.38-4~bpo11+1 (2023-08-08) x86_64 GNU/Linux > > # cat /etc/os-release > PRETTY_NAME="Debian GNU/Linux 11 (bullseye)" > NAME="Debian GNU/Linux" > VERSION_ID="11" > VERSION="11 (bullseye)" > ... > -- E-mail : kadlec@xxxxxxxxxxxxxxxxx, kadlecsik.jozsef@xxxxxxxxx PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics H-1525 Budapest 114, POB. 49, Hungary