Re: ipset hash:ip,port not matching

All of lore.kernel.org
 help / color / mirror / Atom feed

From: Michael Ludvig <mludvig@logix.net.nz>
To: netfilter@vger.kernel.org
Subject: Re: ipset hash:ip,port not matching
Date: Tue, 25 Jun 2013 18:33:43 +1200	[thread overview]
Message-ID: <51C939C7.50007@logix.net.nz> (raw)
In-Reply-To: <51C9371E.8020305@logix.net.nz>

On 25/06/13 18:22, Michael Ludvig wrote:
> Hi
>
> I'm struggling with ipset 6.11 on CentOS 6.4 (default package) where I
> can't make it match on hash:ip,port sets.

I managed to update ipset and iptables to the current git version but
still having the same problem. I'm sure I'm doing something wrong or
misunderstanding how to use ipset...?

Michael

> My simple testcase is (on 172.31.170.102):
>
> ~ # ipset restore << _EOF_
> create test-ipport hash:ip,port family inet hashsize 1024 maxelem 65536
> add test-ipport 172.31.170.102,tcp:12345
> add test-ipport 172.31.170.1,tcp:12345
> _EOF_
>
> ~ # iptables -F
> ~ # iptables -I INPUT -m set --match-set test-ipport dst -j LOG
> --log-prefix "IPSET(test-ipport,dst): "
> ~ # iptables -I INPUT -m set --match-set test-ipport src -j LOG
> --log-prefix "IPSET(test-ipport,src): "
>
> Then from my client 172.31.170.1 I run netcat:
> ~ # nc -p 12345 172.31.170.102 12345
>
> On the target I can see the packets:
>
> 16:55:40.945624 IP 172.31.170.1.12345 > 172.31.170.102.12345: Flags [S],
> seq 471135462, win 14600, options [mss 1460,sackOK,TS val 631328194 ecr
> 0,nop,wscale 7], length 0
> 16:55:40.945684 IP 172.31.170.102.12345 > 172.31.170.1.12345: Flags
> [R.], seq 0, ack 471135463, win 0, length 0
>
> But nothing is logged. Even if I change it to DROP any other target the
> match still seems to be ignored.
>
> With hash:ip it works but as soon as I use one of the port-hashes it fails.
>
> What am I doing wrong?
>
> Thanks
>
> Michael

next prev parent reply	other threads:[~2013-06-25  6:33 UTC|newest]

Thread overview: 5+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2013-06-25  6:22 ipset hash:ip,port not matching Michael Ludvig
2013-06-25  6:33 ` Michael Ludvig [this message]
2013-06-25  7:40 ` Jozsef Kadlecsik
2013-06-25  9:05   ` Michael Ludvig
2013-06-25  9:30     ` Jozsef Kadlecsik

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=51C939C7.50007@logix.net.nz \
    --to=mludvig@logix.net.nz \
    --cc=netfilter@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.