* ipset issues @ 2016-05-25 20:42 Art Emius 2016-05-25 20:58 ` Jozsef Kadlecsik 0 siblings, 1 reply; 6+ messages in thread From: Art Emius @ 2016-05-25 20:42 UTC (permalink / raw) To: netfilter Hello guys, Recently I've encountered an issue with using ipset in my firewall. I use Debian Linux 8.4, running in virtual machine inside ESXi 5.5. My host is 192.168.1.2, remote host is 192.168.1.1. I'm running ssh server on my host and want to limit access to it using one rule with two sets of different types like this: iptables -t filter -A INPUT -m set --match-set NETS_IFACE src,src -m set --match-set SSH src,dst,dst -j ACCEPT iptables -p OUTPUT ACCEPT ipset create SSH hash:ip,port,ip hashsize 8 maxelem 8 family inet ipset add SSH 192.168.1.1,tcp:22,192.168.1.2 ipset create NETS_IFACE hash:net,iface hashsize 128 maxelem 128 family inet ipset add NETS_IFACE 192.168.1.0/24,eth1 It doesn't work this way. eth1 really exists and handle traffic. But If I use rule like this it works fine. iptables -t filter -A INPUT -i eth1 -m set --match-set SSH src,dst,dst -j ACCEPT What am I doing wrong? Regards, Art ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: ipset issues 2016-05-25 20:42 ipset issues Art Emius @ 2016-05-25 20:58 ` Jozsef Kadlecsik 2016-05-28 19:09 ` Art Emius 0 siblings, 1 reply; 6+ messages in thread From: Jozsef Kadlecsik @ 2016-05-25 20:58 UTC (permalink / raw) To: Art Emius; +Cc: netfilter On Wed, 25 May 2016, Art Emius wrote: > Recently I've encountered an issue with using ipset in my firewall. > > I use Debian Linux 8.4, running in virtual machine inside ESXi 5.5. > My host is 192.168.1.2, remote host is 192.168.1.1. > I'm running ssh server on my host and want to limit access to it using > one rule with two sets of different types like this: > > iptables -t filter -A INPUT -m set --match-set NETS_IFACE src,src -m > set --match-set SSH src,dst,dst -j ACCEPT > iptables -p OUTPUT ACCEPT > > ipset create SSH hash:ip,port,ip hashsize 8 maxelem 8 family inet > ipset add SSH 192.168.1.1,tcp:22,192.168.1.2 > > ipset create NETS_IFACE hash:net,iface hashsize 128 maxelem 128 family inet > ipset add NETS_IFACE 192.168.1.0/24,eth1 You should use "--match-set NETS_IFACE src,dst" in the rule above if you want to limit the access to the traffic from the 192.168.1.0/24 subnet received on interface eth1 only. > It doesn't work this way. eth1 really exists and handle traffic. > But If I use rule like this it works fine. > iptables -t filter -A INPUT -i eth1 -m set --match-set SSH src,dst,dst -j ACCEPT Best regards, Jozsef - E-mail : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: ipset issues 2016-05-25 20:58 ` Jozsef Kadlecsik @ 2016-05-28 19:09 ` Art Emius 2016-05-30 19:19 ` Jozsef Kadlecsik 0 siblings, 1 reply; 6+ messages in thread From: Art Emius @ 2016-05-28 19:09 UTC (permalink / raw) To: Jozsef Kadlecsik; +Cc: netfilter Hello Jozsef, Thanks for reply. This makes me feel confused, but seems it doesn't work at all. I've tried both src,src and src,dst parameters. Still I see packets are being dropped. But I use -i / -o in iptables rules it works fine. 2016-05-25 23:58 GMT+03:00 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>: > On Wed, 25 May 2016, Art Emius wrote: > >> Recently I've encountered an issue with using ipset in my firewall. >> >> I use Debian Linux 8.4, running in virtual machine inside ESXi 5.5. >> My host is 192.168.1.2, remote host is 192.168.1.1. >> I'm running ssh server on my host and want to limit access to it using >> one rule with two sets of different types like this: >> >> iptables -t filter -A INPUT -m set --match-set NETS_IFACE src,src -m >> set --match-set SSH src,dst,dst -j ACCEPT >> iptables -p OUTPUT ACCEPT >> >> ipset create SSH hash:ip,port,ip hashsize 8 maxelem 8 family inet >> ipset add SSH 192.168.1.1,tcp:22,192.168.1.2 >> >> ipset create NETS_IFACE hash:net,iface hashsize 128 maxelem 128 family inet >> ipset add NETS_IFACE 192.168.1.0/24,eth1 > > You should use "--match-set NETS_IFACE src,dst" in the rule above if you > want to limit the access to the traffic from the 192.168.1.0/24 subnet > received on interface eth1 only. > >> It doesn't work this way. eth1 really exists and handle traffic. >> But If I use rule like this it works fine. >> iptables -t filter -A INPUT -i eth1 -m set --match-set SSH src,dst,dst -j ACCEPT > > Best regards, > Jozsef > - > E-mail : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu > PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt > Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences > H-1525 Budapest 114, POB. 49, Hungary -- Art & Emius www.emius.ru ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: ipset issues 2016-05-28 19:09 ` Art Emius @ 2016-05-30 19:19 ` Jozsef Kadlecsik 2016-05-31 10:25 ` Pablo Neira Ayuso 0 siblings, 1 reply; 6+ messages in thread From: Jozsef Kadlecsik @ 2016-05-30 19:19 UTC (permalink / raw) To: Art Emius; +Cc: netfilter Hello, On Sat, 28 May 2016, Art Emius wrote: > This makes me feel confused, but seems it doesn't work at all. I've > tried both src,src and src,dst parameters. Still I see packets are being > dropped. But I use -i / -o in iptables rules it works fine. Sorry, I messed up the parameters. I think your kernel does not contain the patch commit ef5b6e127761667f78d99b7510a3876077fe9abe Author: Florian Westphal <fw@strlen.de> Date: Sun Jun 17 09:56:46 2012 +0000 netfilter: ipset: fix interface comparision in hash-netiface sets ifname_compare() assumes that skb->dev is zero-padded, e.g 'eth1\0\0\0\0\0...'. This isn't always the case. e1000 driver does strncpy(netdev->name, pci_name(pdev), sizeof(netdev->name) - 1); in e1000_probe(), so once device is registered dev->name memory contains 'eth1\0:0:3\0\0\0' (or something like that), which makes eth1 compare fail. Use plain strcmp() instead. which went into the kernel v4.2. I assume it was not backported into older kernel releases. Best regards, Jozsef > 2016-05-25 23:58 GMT+03:00 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>: > > On Wed, 25 May 2016, Art Emius wrote: > > > >> Recently I've encountered an issue with using ipset in my firewall. > >> > >> I use Debian Linux 8.4, running in virtual machine inside ESXi 5.5. > >> My host is 192.168.1.2, remote host is 192.168.1.1. > >> I'm running ssh server on my host and want to limit access to it using > >> one rule with two sets of different types like this: > >> > >> iptables -t filter -A INPUT -m set --match-set NETS_IFACE src,src -m > >> set --match-set SSH src,dst,dst -j ACCEPT > >> iptables -p OUTPUT ACCEPT > >> > >> ipset create SSH hash:ip,port,ip hashsize 8 maxelem 8 family inet > >> ipset add SSH 192.168.1.1,tcp:22,192.168.1.2 > >> > >> ipset create NETS_IFACE hash:net,iface hashsize 128 maxelem 128 family inet > >> ipset add NETS_IFACE 192.168.1.0/24,eth1 > > > > You should use "--match-set NETS_IFACE src,dst" in the rule above if you > > want to limit the access to the traffic from the 192.168.1.0/24 subnet > > received on interface eth1 only. > > > >> It doesn't work this way. eth1 really exists and handle traffic. > >> But If I use rule like this it works fine. > >> iptables -t filter -A INPUT -i eth1 -m set --match-set SSH src,dst,dst -j ACCEPT > > > > Best regards, > > Jozsef > > - > > E-mail : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu > > PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt > > Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences > > H-1525 Budapest 114, POB. 49, Hungary > > > > -- > Art & Emius > www.emius.ru > - E-mail : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: ipset issues 2016-05-30 19:19 ` Jozsef Kadlecsik @ 2016-05-31 10:25 ` Pablo Neira Ayuso 2016-05-31 11:05 ` Jozsef Kadlecsik 0 siblings, 1 reply; 6+ messages in thread From: Pablo Neira Ayuso @ 2016-05-31 10:25 UTC (permalink / raw) To: Jozsef Kadlecsik; +Cc: Art Emius, netfilter On Mon, May 30, 2016 at 09:19:34PM +0200, Jozsef Kadlecsik wrote: > Hello, > > On Sat, 28 May 2016, Art Emius wrote: > > > This makes me feel confused, but seems it doesn't work at all. I've > > tried both src,src and src,dst parameters. Still I see packets are being > > dropped. But I use -i / -o in iptables rules it works fine. > > Sorry, I messed up the parameters. > > I think your kernel does not contain the patch > > commit ef5b6e127761667f78d99b7510a3876077fe9abe > Author: Florian Westphal <fw@strlen.de> > Date: Sun Jun 17 09:56:46 2012 +0000 > > netfilter: ipset: fix interface comparision in hash-netiface sets > > ifname_compare() assumes that skb->dev is zero-padded, > e.g 'eth1\0\0\0\0\0...'. This isn't always the case. e1000 driver does > > strncpy(netdev->name, pci_name(pdev), sizeof(netdev->name) - 1); > > in e1000_probe(), so once device is registered dev->name memory contains > 'eth1\0:0:3\0\0\0' (or something like that), which makes eth1 compare > fail. > > Use plain strcmp() instead. > > which went into the kernel v4.2. I assume it was not backported into older > kernel releases. This seems to apply cleanly against 3.2.x and 3.4.x. I can request -stable submission for these two. ^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: ipset issues 2016-05-31 10:25 ` Pablo Neira Ayuso @ 2016-05-31 11:05 ` Jozsef Kadlecsik 0 siblings, 0 replies; 6+ messages in thread From: Jozsef Kadlecsik @ 2016-05-31 11:05 UTC (permalink / raw) To: Pablo Neira Ayuso; +Cc: Art Emius, netfilter Hi Pablo, On Tue, 31 May 2016, Pablo Neira Ayuso wrote: > On Mon, May 30, 2016 at 09:19:34PM +0200, Jozsef Kadlecsik wrote: > > > > On Sat, 28 May 2016, Art Emius wrote: > > > > > This makes me feel confused, but seems it doesn't work at all. I've > > > tried both src,src and src,dst parameters. Still I see packets are being > > > dropped. But I use -i / -o in iptables rules it works fine. > > > > Sorry, I messed up the parameters. > > > > I think your kernel does not contain the patch > > > > commit ef5b6e127761667f78d99b7510a3876077fe9abe > > Author: Florian Westphal <fw@strlen.de> > > Date: Sun Jun 17 09:56:46 2012 +0000 > > > > netfilter: ipset: fix interface comparision in hash-netiface sets > > > > ifname_compare() assumes that skb->dev is zero-padded, > > e.g 'eth1\0\0\0\0\0...'. This isn't always the case. e1000 driver does > > > > strncpy(netdev->name, pci_name(pdev), sizeof(netdev->name) - 1); > > > > in e1000_probe(), so once device is registered dev->name memory contains > > 'eth1\0:0:3\0\0\0' (or something like that), which makes eth1 compare > > fail. > > > > Use plain strcmp() instead. > > > > which went into the kernel v4.2. I assume it was not backported into older > > kernel releases. > > This seems to apply cleanly against 3.2.x and 3.4.x. > > I can request -stable submission for these two. It'd be great, please request the submissions. Thanks! Best regards, Jozsef - E-mail : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences H-1525 Budapest 114, POB. 49, Hungary ^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2016-05-31 11:05 UTC | newest] Thread overview: 6+ messages (download: mbox.gz follow: Atom feed -- links below jump to the message on this page -- 2016-05-25 20:42 ipset issues Art Emius 2016-05-25 20:58 ` Jozsef Kadlecsik 2016-05-28 19:09 ` Art Emius 2016-05-30 19:19 ` Jozsef Kadlecsik 2016-05-31 10:25 ` Pablo Neira Ayuso 2016-05-31 11:05 ` Jozsef Kadlecsik
This is an external index of several public inboxes, see mirroring instructions on how to clone and mirror all data and code used by this external index.