Login | Register For Free | Help
Search for: (Advanced)

Mailing List Archive: iptables: Devel

ipporthash doesn't work ( ipset-2.3.0, iptables-1.3.8-15, kernel-2.6.22.3-7-bigsmp, SuSE 10.3 Beta2)

  

 
iptables devel RSS feed   Index | Next | Previous | View Threaded


hlin at nextone

Sep 4, 2007, 3:16 PM

Post #1 of 3 (814 views)
Permalink
ipporthash doesn't work ( ipset-2.3.0, iptables-1.3.8-15, kernel-2.6.22.3-7-bigsmp, SuSE 10.3 Beta2)
Hi,

I compiled and installed ipset-2.3.0, I found the iphash worked fine but ipporthash acted wired. Here's the scenario:


suse10-3:~ # ipset -N set1 ipporthash --network 10.1.0.0/16
suse10-3:~ # ipset -A set1 10.1.5.28:7
suse10-3:~ # ipset -nL
Name: set1
Type: ipporthash
References: 0
Default binding:
Header: from: 10.1.0.0 to: 10.1.255.255 hashsize: 1024 probes: 8 resize: 50
Members:
10.1.5.28:7
Bindings:
suse10-3:~ # iptables -nvL
Chain INPUT (policy ACCEPT 5590 packets, 418K bytes)
pkts bytes target prot opt in out source destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
pkts bytes target prot opt in out source destination

Chain OUTPUT (policy ACCEPT 4143 packets, 798K bytes)
pkts bytes target prot opt in out source destination

suse10-3:~ # iptables -I INPUT -m set --set set1 src,dst -j DROP


After I insert the iptables rule, I cannot ssh to that machine but I can ping it (I tried from different ips: 172.16.1.121, 10.1.5.27, and 10.1.5.28.). It's not the correct behavior. I suppose the commands I ran should block the package from 10.1.5.28 to the port 7. But it seems to block every IP to the port 22.


P.S.

I used patch-o-maic-ng-20070828.tar.bz2 downloaded from http://ipset.netfilter.org/ to patch the kernel (2.6.22.3-7) of SuSE 10.3 beta2

The iptables version is 1.3.8-15 and ipset version is 2.3.0






Thanks for your time

Hung Lin


kadlec at blackhole

Sep 5, 2007, 2:49 AM

Post #2 of 3 (752 views)
Permalink
Re: ipporthash doesn't work ( ipset-2.3.0, iptables-1.3.8-15, kernel-2.6.22.3-7-bigsmp, SuSE 10.3 Beta2) [In reply to]
Hi,

On Tue, 4 Sep 2007, Hung Lin wrote:

> I compiled and installed ipset-2.3.0, I found the iphash worked fine but
> ipporthash acted wired. Here's the scenario:
>
> suse10-3:~ # ipset -N set1 ipporthash --network 10.1.0.0/16
> suse10-3:~ # ipset -A set1 10.1.5.28:7
> suse10-3:~ # iptables -nvL
> Chain INPUT (policy ACCEPT 5590 packets, 418K bytes)
> pkts bytes target prot opt in out source destination
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target prot opt in out source destination
>
> Chain OUTPUT (policy ACCEPT 4143 packets, 798K bytes)
> pkts bytes target prot opt in out source destination
>
> suse10-3:~ # iptables -I INPUT -m set --set set1 src,dst -j DROP
>
> After I insert the iptables rule, I cannot ssh to that machine but I can
> ping it (I tried from different ips: 172.16.1.121, 10.1.5.27, and
> 10.1.5.28.). It's not the correct behavior. I suppose the commands I
> ran should block the package from 10.1.5.28 to the port 7. But it seems
> to block every IP to the port 22.

I'm unable to reproduce it. The set and rules just work as expected.

Please try to use

iptables -I INPUT -m set --set set1 src,dst -j LOG

instead and check your logs.

Best regards,
Jozsef
-
E-mail : kadlec [at] blackhole, kadlec [at] sunserv
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary


kadlec at blackhole

Sep 5, 2007, 3:27 AM

Post #3 of 3 (751 views)
Permalink
Re: ipporthash doesn't work ( ipset-2.3.0, iptables-1.3.8-15, kernel-2.6.22.3-7-bigsmp, SuSE 10.3 Beta2) [In reply to]
On Wed, 5 Sep 2007, Jozsef Kadlecsik wrote:

>> After I insert the iptables rule, I cannot ssh to that machine but I can
>> ping it (I tried from different ips: 172.16.1.121, 10.1.5.27, and
>> 10.1.5.28.). It's not the correct behavior. I suppose the commands I ran
>> should block the package from 10.1.5.28 to the port 7. But it seems to
>> block every IP to the port 22.
>
> I'm unable to reproduce it. The set and rules just work as expected.

Ouch! Out of range condition wrongly interpreted as 'yes' instead of 'no'.
The fix is already in the svn repository, the updated patch-o-matic
shapshot will be out at the ipset site at afternoon.
Thank you for spotting this nasty bug.

Best regards,
Jozsef
-
E-mail : kadlec [at] blackhole, kadlec [at] sunserv
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
H-1525 Budapest 114, POB. 49, Hungary

iptables devel RSS feed   Index | Next | Previous | View Threaded
 
 


Interested in having your list archived? Contact Gossamer Threads
 
  Web Applications & Managed Hosting Powered by Gossamer Threads Inc.