Advanced
Mailing List Archive

Mailing List Archive

  1. Home >
  2. iptables>
  3. Devel
ipporthash doesn't work ( ipset-2.3.0, iptables-1.3.8-15, kernel-2.6.22.3-7-bigsmp, SuSE 10.3 Beta2)
hlin at nextone
Sep 4, 2007, 3:16 PM
Post #1 of 3 (2278 views)
Permalink
Hi,

I compiled and installed ipset-2.3.0, I found the iphash worked fine but ipporthash acted wired. Here's the scenario:


suse10-3:~ # ipset -N set1 ipporthash --network 10.1.0.0/16
suse10-3:~ # ipset -A set1 10.1.5.28:7
suse10-3:~ # ipset -nL
Name: set1
Type: ipporthash
References: 0
Default binding:
Header: from: 10.1.0.0 to: 10.1.255.255 hashsize: 1024 probes: 8 resize: 50
Members:
10.1.5.28:7
Bindings:
suse10-3:~ # iptables -nvL
Chain INPUT (policy ACCEPT 5590 packets, 418K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 4143 packets, 798K bytes)
pkts bytes target prot opt in out source destination

suse10-3:~ # iptables -I INPUT -m set --set set1 src,dst -j DROP


After I insert the iptables rule, I cannot ssh to that machine but I can ping it (I tried from different ips: 172.16.1.121, 10.1.5.27, and 10.1.5.28.). It's not the correct behavior. I suppose the commands I ran should block the package from 10.1.5.28 to the port 7. But it seems to block every IP to the port 22.


P.S.

I used patch-o-maic-ng-20070828.tar.bz2 downloaded from http://ipset.netfilter.org/ to patch the kernel (2.6.22.3-7) of SuSE 10.3 beta2

The iptables version is 1.3.8-15 and ipset version is 2.3.0






Thanks for your time

Hung Lin
Re: ipporthash doesn't work ( ipset-2.3.0, iptables-1.3.8-15, kernel-2.6.22.3-7-bigsmp, SuSE 10.3 Beta2) [ In reply to ]
kadlec at blackhole
Sep 5, 2007, 2:49 AM
Post #2 of 3 (2191 views)
Permalink
Hi,

On Tue, 4 Sep 2007, Hung Lin wrote:

> I compiled and installed ipset-2.3.0, I found the iphash worked fine but
> ipporthash acted wired. Here's the scenario:
>
> suse10-3:~ # ipset -N set1 ipporthash --network 10.1.0.0/16
> suse10-3:~ # ipset -A set1 10.1.5.28:7
> suse10-3:~ # iptables -nvL
> Chain INPUT (policy ACCEPT 5590 packets, 418K bytes)
> pkts bytes target prot opt in out source destination
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
>
> Chain OUTPUT (policy ACCEPT 4143 packets, 798K bytes)
> pkts bytes target prot opt in out source destination
>
> suse10-3:~ # iptables -I INPUT -m set --set set1 src,dst -j DROP
>
> After I insert the iptables rule, I cannot ssh to that machine but I can
> ping it (I tried from different ips: 172.16.1.121, 10.1.5.27, and
> 10.1.5.28.). It's not the correct behavior. I suppose the commands I
> ran should block the package from 10.1.5.28 to the port 7. But it seems
> to block every IP to the port 22.

I'm unable to reproduce it. The set and rules just work as expected.

Please try to use

iptables -I INPUT -m set --set set1 src,dst -j LOG

instead and check your logs.

Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary
Re: ipporthash doesn't work ( ipset-2.3.0, iptables-1.3.8-15, kernel-2.6.22.3-7-bigsmp, SuSE 10.3 Beta2) [ In reply to ]
kadlec at blackhole
Sep 5, 2007, 3:27 AM
Post #3 of 3 (2171 views)
Permalink
On Wed, 5 Sep 2007, Jozsef Kadlecsik wrote:

>> After I insert the iptables rule, I cannot ssh to that machine but I can
>> ping it (I tried from different ips: 172.16.1.121, 10.1.5.27, and
>> 10.1.5.28.). It's not the correct behavior. I suppose the commands I ran
>> should block the package from 10.1.5.28 to the port 7. But it seems to
>> block every IP to the port 22.
>
> I'm unable to reproduce it. The set and rules just work as expected.

Ouch! Out of range condition wrongly interpreted as 'yes' instead of 'no'.
The fix is already in the svn repository, the updated patch-o-matic
shapshot will be out at the ipset site at afternoon.
Thank you for spotting this nasty bug.

Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary

©2024 GT.net. A Gossamer Threads company.
5th Floor, 455 Granville St., Vancouver, BC V6C 1T1, Canada | Legal