Mailing List Archive

Hello Craig,

The answer is no. :(
I think it is something with garbage colector because if
you modify line 32 in file:
/usr/src/linux/net/ipv4/netfilter/ip_set_iptree.c
#define IPTREE_GC_TIME 5*60

to:
#define IPTREE_GC_TIME 1*60

(and recompile kernel modules)

this funny feature is available for one minute instead of 5
( after modules ip_set and ip_set_iptree are loaded
into memory )

After IPTREE_GC_TIME all is ok for some unknown period of
time, but finally this malfunction comes again.

£ukasz Nierych³o

> £ukasz (and Jozsef),
> I am experiencing the same problem you cited below.
> The funny thing is that I am almost sure that it was working for several
> weeks, but now I see the exact behavior in your email.
> Did you ever find a solution to this?

On Thu, 23 Aug 2007, £ukasz Nierych³o wrote:

> I think it is something with garbage colector because if
> you modify line 32 in file:
> /usr/src/linux/net/ipv4/netfilter/ip_set_iptree.c
> #define IPTREE_GC_TIME 5*60
>
> to:
> #define IPTREE_GC_TIME 1*60
>
> (and recompile kernel modules)
>
> this funny feature is available for one minute instead of 5
> ( after modules ip_set and ip_set_iptree are loaded
> into memory )
>
> After IPTREE_GC_TIME all is ok for some unknown period of
> time, but finally this malfunction comes again.

Thank you the reports, on the weekend I'll be able to debug it.
Please stay tuned.

Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary

Hi,

On Thu, 23 Aug 2007, Jozsef Kadlecsik wrote:

>> After IPTREE_GC_TIME all is ok for some unknown period of
>> time, but finally this malfunction comes again.
>
> Thank you the reports, on the weekend I'll be able to debug it.
> Please stay tuned.

Hm, I'm unable to reproduce it. There *was* an endian-related bug in
the iptree type, but even that could not cause such behaviour.

Please give a try to the upcoming release, which you can get
as http://ipset.netfilter.org/ipset-2.6.23-rc3.patch.

If you still see the bug, please do the following:

- recompile ipset in the kernel with debugging enabled, i.e. change

#if 0
#define IP_SET_DEBUG
#endif

to

#if 1
#define IP_SET_DEBUG
#endif

in <kernel-src>/include/linux/netfilter_ipv4/ip_set.h

- then after recompiling issue the following commands and report the
resulted kernel logs:

# ipset -N viruses iptree --timeout 100
# ipset -A viruses 172.16.14.12
# ipset -T viruses 172.16.14.12
# ipset -T viruses 172.16.14.111
# ipset -n -L viruses

Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary

Hello,

my kernel is now
Linux x-rabbit 2.6.23-rc3 1 Mon Aug 27 13:44:18 CEST 2007 i686 pentium4 i386
GNU/Linux

I preformed two tests, one shortly after boot and another few minutes later.
The results are different.
I hope this will help you.


[root@x-rabbit ~] logger Test Start
[root@x-rabbit ~] ipset -N viruses iptree --timeout 100
[root@x-rabbit ~] ipset -A viruses 172.16.14.12
[root@x-rabbit ~] ipset -T viruses 172.16.14.12
172.16.14.12 is in set viruses.
[root@x-rabbit ~] ipset -T viruses 172.16.14.111
172.16.14.111 is in set viruses.
[root@x-rabbit ~] ipset -n -L viruses
Name: viruses
Type: iptree
References: 0
Default binding:
Header: timeout: 100
Members:
172.16.14.12%81
Bindings:


Kernel log:


Aug 27 14:46:44 x-rabbit root: Test Start
Aug 27 14:46:59 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG):
optval83, user08059198, len76
Aug 27 14:46:59 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG):
op1
Aug 27 14:46:59 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_create (DBG):
setname: viruses, typename: iptree, id:
65535
Aug 27 14:46:59 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_create (DBG): try
to load ip_set_iptree
Aug 27 14:46:59 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_register_set_type
(DBG): 'iptree' registered.
Aug 27 14:46:59 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_create (DBG):
create: 'viruses' created with index 0,
id 0!
Aug 27 14:46:59 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG):
final result 0
Aug 27 14:47:10 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
optval83, userbfb076a8, len72
Aug 27 14:47:10 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
op10
Aug 27 14:47:10 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
set viruses, copylen 72
Aug 27 14:47:10 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
final result 0
Aug 27 14:47:10 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG):
optval83, user08059060, len16
Aug 27 14:47:10 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG):
op101

Aug 27 14:47:10 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: addip (DBG):
172.16.14.12 0
Aug 27 14:47:10 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: __addip (DBG):
172 16 14 12 timeout 100
Aug 27 14:47:10 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: __addip (DBG):
alloc 172
Aug 27 14:47:10 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: __addip (DBG):
alloc 16
Aug 27 14:47:10 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: __addip (DBG):
alloc 14
Aug 27 14:47:10 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: __addip (DBG): 12
4294935011
Aug 27 14:47:10 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG):
final result 0
Aug 27 14:47:15 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
optval83, userbfe349d8, len72
Aug 27 14:47:15 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
op10
Aug 27 14:47:15 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
set viruses, copylen 72
Aug 27 14:47:15 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
final result 0
Aug 27 14:47:15 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG):
optval83, user08059060, len16
Aug 27 14:47:15 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG):
op103

Aug 27 14:47:15 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: __testip (DBG):
172 16 14 12 timeout 100
Aug 27 14:47:15 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: __testip (DBG):
4294935011 4294911225
Aug 27 14:47:15 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG):
final result -17
Aug 27 14:47:18 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
optval83, userbf811bb8, len72
Aug 27 14:47:18 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
op10
Aug 27 14:47:18 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
set viruses, copylen 72
Aug 27 14:47:18 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
final result 0
Aug 27 14:47:18 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG):
optval83, user08059060, len16
Aug 27 14:47:18 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG):
op103
Aug 27 14:47:18 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: __testip (DBG):
172 16 14 111 timeout 100
Aug 27 14:47:18 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: __testip (DBG): 0
4294912132
Aug 27 14:47:18 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG):
final result -17
Aug 27 14:47:28 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
optval83, userbfd2a77c, len44
Aug 27 14:47:28 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
op20
Aug 27 14:47:28 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
set :all:, copylen 44
Aug 27 14:47:28 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
final result 0
Aug 27 14:47:28 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
optval83, user08059138, len80
Aug 27 14:47:28 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
op201
Aug 27 14:47:28 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
filled viruses of type iptree, index
0

Aug 27 14:47:28 x-rabbit kernel:
Aug 27 14:47:28 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: list_members_size
(DBG): members 1
Aug 27 14:47:28 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
set :all:, copylen 80
Aug 27 14:47:28 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
final result 0
Aug 27 14:47:28 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
optval83, user08059138, len32
Aug 27 14:47:28 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
op203
Aug 27 14:47:28 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_list_set (DBG): set:
viruses, used: 0 e083e000 e083e00
0
Aug 27 14:47:28 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: list_members_size
(DBG): members 1
Aug 27 14:47:28 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
set viruses, copylen 32
Aug 27 14:47:28 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
final result 0
Aug 27 14:51:59 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: ip_tree_gc (DBG):
gc: viruses
Aug 27 14:51:59 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: ip_tree_gc (DBG):
gc: 172 16 14 12: expires 4294935011
jiffies 15109
Aug 27 14:51:59 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: ip_tree_gc (DBG):
gc: viruses: leaf 172 16 14 empty
Aug 27 14:51:59 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: ip_tree_gc (DBG):
gc: viruses: branch 172 16 empty
Aug 27 14:51:59 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: ip_tree_gc (DBG):
gc: viruses: branch 172 empty




The same test after 5 minutes from system boot:


root@x-rabbit ~] logger Next Test
[root@x-rabbit ~] ipset -A viruses 172.16.14.12
[root@x-rabbit ~] ipset -T viruses 172.16.14.12
172.16.14.12 is in set viruses.
[root@x-rabbit ~] ipset -T viruses 172.16.14.111
172.16.14.111 is NOT in set viruses.
[root@x-rabbit ~] ipset -n -L viruses
Name: viruses
Type: iptree
References: 0
Default binding:
Header: timeout: 100
Members:
172.16.14.12%83
Bindings:


Kernel Logs:

Aug 27 14:55:38 x-rabbit root: Next Test
Aug 27 14:55:42 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
optval83, userbfc71818, len72
Aug 27 14:55:42 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
op10
Aug 27 14:55:42 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
set viruses, copylen 72
Aug 27 14:55:42 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
final result 0
Aug 27 14:55:42 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG):
optval83, user08059060, len16
Aug 27 14:55:42 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG):
op101
Aug 27 14:55:42 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: addip (DBG):
172.16.14.12 0
Aug 27 14:55:42 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: __addip (DBG):
172 16 14 12 timeout 100
Aug 27 14:55:42 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: __addip (DBG):
alloc 172
Aug 27 14:55:42 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: __addip (DBG):
alloc 16
Aug 27 14:55:42 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: __addip (DBG):
alloc 14
Aug 27 14:55:42 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: __addip (DBG): 12
95780
Aug 27 14:55:42 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG):
final result 0
Aug 27 14:55:46 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
optval83, userbfb58f08, len72
Aug 27 14:55:46 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
op10
Aug 27 14:55:46 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
set viruses, copylen 72
Aug 27 14:55:46 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
final result 0
Aug 27 14:55:46 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG):
optval83, user08059060, len16
Aug 27 14:55:46 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG):
op103
Aug 27 14:55:46 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: __testip (DBG):
172 16 14 12 timeout 100
Aug 27 14:55:46 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: __testip (DBG):
95780 71693
Aug 27 14:55:46 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG):
final result -17
Aug 27 14:55:49 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
optval83, userbf843be8, len72
Aug 27 14:55:49 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
op10
Aug 27 14:55:49 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
set viruses, copylen 72
Aug 27 14:55:49 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
final result 0
Aug 27 14:55:49 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG):
optval83, user08059060, len16
Aug 27 14:55:49 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG):
op103
Aug 27 14:55:49 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: __testip (DBG):
172 16 14 111 timeout 100
Aug 27 14:55:49 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: __testip (DBG): 0
72605
Aug 27 14:55:49 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG):
final result 0
Aug 27 14:55:59 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
optval83, userbfc88edc, len44
Aug 27 14:55:59 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
op20
Aug 27 14:55:59 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
set :all:, copylen 44
Aug 27 14:55:59 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
final result 0
Aug 27 14:55:59 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
optval83, user08059138, len80
Aug 27 14:55:59 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
op201
Aug 27 14:55:59 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
filled viruses of type iptree, index
0
Aug 27 14:55:59 x-rabbit kernel:
Aug 27 14:55:59 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: list_members_size
(DBG): members 1
Aug 27 14:55:59 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
set :all:, copylen 80
Aug 27 14:55:59 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
final result 0
Aug 27 14:55:59 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
optval83, user08059138, len32
Aug 27 14:55:59 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
op203
Aug 27 14:55:59 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_list_set (DBG): set:
viruses, used: 0 e083e000 e083e00
0
Aug 27 14:55:59 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: list_members_size
(DBG): members 1
Aug 27 14:55:59 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
set viruses, copylen 32
Aug 27 14:55:59 x-rabbit kernel: net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG):
final result 0
Aug 27 14:56:59 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: ip_tree_gc (DBG):
gc: viruses
Aug 27 14:56:59 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: ip_tree_gc (DBG):
gc: 172 16 14 12: expires 95780 jiff
ies 90109
Aug 27 14:56:59 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: ip_tree_gc (DBG):
gc: viruses: leaf 172 16 14 not empt
y
Aug 27 14:56:59 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: ip_tree_gc (DBG):
gc: viruses: branch 172 16 not empty
Aug 27 14:56:59 x-rabbit kernel: net/ipv4/netfilter/ip_set_iptree.c: ip_tree_gc (DBG):
gc: viruses: branch 172 not empty
(END)







>>> After IPTREE_GC_TIME all is ok for some unknown period of
>>> time, but finally this malfunction comes again.
>>
>> Thank you the reports, on the weekend I'll be able to debug it.
>> Please stay tuned.
>
>Hm, I'm unable to reproduce it. There *was* an endian-related bug in
>the iptree type, but even that could not cause such behaviour.
>
>Please give a try to the upcoming release, which you can get
>as http://ipset.netfilter.org/ipset-2.6.23-rc3.patch.
>
>If you still see the bug, please do the following:
>
>- recompile ipset in the kernel with debugging enabled, i.e. change
>
>if 0
>define IP_SET_DEBUG
>endif
>
> to
>
>if 1
>define IP_SET_DEBUG
>endif
>
> in <kernel-src>/include/linux/netfilter_ipv4/ip_set.h
>
>- then after recompiling issue the following commands and report the
> resulted kernel logs:
>
> ipset -N viruses iptree --timeout 100
> ipset -A viruses 172.16.14.12
> ipset -T viruses 172.16.14.12
> ipset -T viruses 172.16.14.111
> ipset -n -L viruses
>
>Best regards,
>Jozsef
>-

On Mon, 27 Aug 2007, nofast@welnowiec.net wrote:

> I preformed two tests, one shortly after boot and another few minutes later.
> The results are different.
> I hope this will help you.

It did helped: please give a try to the new version as
http://ipset.netfilter.org/ipset-2.6.23-rc3.patch2.

Please report that it indeed solves the false iptree test results.

Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary

On Mon, 27 Aug 2007 18:40:36 +0200, Jozsef Kadlecsik
<kadlec@blackhole.kfki.hu> wrote:
> On Mon, 27 Aug 2007, nofast@welnowiec.net wrote:
>
>> I preformed two tests, one shortly after boot and another few minutes
>> later.
>> The results are different.
>> I hope this will help you.
>
> It did helped: please give a try to the new version as
> http://ipset.netfilter.org/ipset-2.6.23-rc3.patch2.
>
> Please report that it indeed solves the false iptree test results.

Now it is working well.
Thank You very much :D


£ukasz Nierych³o

On Mon, Aug 27, 2007 at 18:40:36 +0200, Jozsef Kadlecsik wrote:
> On Mon, 27 Aug 2007, nofast@welnowiec.net wrote:
>
>> I preformed two tests, one shortly after boot and another few minutes
>> later.
>> The results are different.
>> I hope this will help you.
>
> It did helped: please give a try to the new version as
> http://ipset.netfilter.org/ipset-2.6.23-rc3.patch2.

Your mask_to_bits function results into infinite loop if called
with parameter 1, for example.

If you care only about first set bit, i.e. you do not bother checking
is netmask valid, you can use:

static inline unsigned int mask_to_bits(ip_set_ip_t mask)
{
if (mask == 0) return 0;
return 33 - ffs(mask);
}

--
Do what you love because life is too short for anything else.

On Mon, 27 Aug 2007, Sami Farin wrote:

> Your mask_to_bits function results into infinite loop if called
> with parameter 1, for example.
>
> If you care only about first set bit, i.e. you do not bother checking
> is netmask valid, you can use:
>
> static inline unsigned int mask_to_bits(ip_set_ip_t mask)
> {
> if (mask == 0) return 0;
> return 33 - ffs(mask);
> }

ipset does not allow to pass '1' as the parameter to this function.
But you are right, a malicious root user is able to form a request
which can contain not properly handled values.

I can't recall why I did not use ffs at the first place.

Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary