ipset hash:ip,port not matching

All of lore.kernel.org
 help / color / mirror / Atom feed

* ipset hash:ip,port not matching
@ 2013-06-25  6:22 Michael Ludvig
  2013-06-25  6:33 ` Michael Ludvig
  2013-06-25  7:40 ` Jozsef Kadlecsik
  0 siblings, 2 replies; 5+ messages in thread
From: Michael Ludvig @ 2013-06-25  6:22 UTC (permalink / raw)
  To: netfilter

Hi

I'm struggling with ipset 6.11 on CentOS 6.4 (default package) where I
can't make it match on hash:ip,port sets.

My simple testcase is (on 172.31.170.102):

~ # ipset restore << _EOF_
create test-ipport hash:ip,port family inet hashsize 1024 maxelem 65536
add test-ipport 172.31.170.102,tcp:12345
add test-ipport 172.31.170.1,tcp:12345
_EOF_

~ # iptables -F
~ # iptables -I INPUT -m set --match-set test-ipport dst -j LOG
--log-prefix "IPSET(test-ipport,dst): "
~ # iptables -I INPUT -m set --match-set test-ipport src -j LOG
--log-prefix "IPSET(test-ipport,src): "

Then from my client 172.31.170.1 I run netcat:
~ # nc -p 12345 172.31.170.102 12345

On the target I can see the packets:

16:55:40.945624 IP 172.31.170.1.12345 > 172.31.170.102.12345: Flags [S],
seq 471135462, win 14600, options [mss 1460,sackOK,TS val 631328194 ecr
0,nop,wscale 7], length 0
16:55:40.945684 IP 172.31.170.102.12345 > 172.31.170.1.12345: Flags
[R.], seq 0, ack 471135463, win 0, length 0

But nothing is logged. Even if I change it to DROP any other target the
match still seems to be ignored.

With hash:ip it works but as soon as I use one of the port-hashes it fails.

What am I doing wrong?

Thanks

Michael

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: ipset hash:ip,port not matching
  2013-06-25  6:22 ipset hash:ip,port not matching Michael Ludvig
@ 2013-06-25  6:33 ` Michael Ludvig
  2013-06-25  7:40 ` Jozsef Kadlecsik
  1 sibling, 0 replies; 5+ messages in thread
From: Michael Ludvig @ 2013-06-25  6:33 UTC (permalink / raw)
  To: netfilter

On 25/06/13 18:22, Michael Ludvig wrote:
> Hi
>
> I'm struggling with ipset 6.11 on CentOS 6.4 (default package) where I
> can't make it match on hash:ip,port sets.

I managed to update ipset and iptables to the current git version but
still having the same problem. I'm sure I'm doing something wrong or
misunderstanding how to use ipset...?

Michael

> My simple testcase is (on 172.31.170.102):
>
> ~ # ipset restore << _EOF_
> create test-ipport hash:ip,port family inet hashsize 1024 maxelem 65536
> add test-ipport 172.31.170.102,tcp:12345
> add test-ipport 172.31.170.1,tcp:12345
> _EOF_
>
> ~ # iptables -F
> ~ # iptables -I INPUT -m set --match-set test-ipport dst -j LOG
> --log-prefix "IPSET(test-ipport,dst): "
> ~ # iptables -I INPUT -m set --match-set test-ipport src -j LOG
> --log-prefix "IPSET(test-ipport,src): "
>
> Then from my client 172.31.170.1 I run netcat:
> ~ # nc -p 12345 172.31.170.102 12345
>
> On the target I can see the packets:
>
> 16:55:40.945624 IP 172.31.170.1.12345 > 172.31.170.102.12345: Flags [S],
> seq 471135462, win 14600, options [mss 1460,sackOK,TS val 631328194 ecr
> 0,nop,wscale 7], length 0
> 16:55:40.945684 IP 172.31.170.102.12345 > 172.31.170.1.12345: Flags
> [R.], seq 0, ack 471135463, win 0, length 0
>
> But nothing is logged. Even if I change it to DROP any other target the
> match still seems to be ignored.
>
> With hash:ip it works but as soon as I use one of the port-hashes it fails.
>
> What am I doing wrong?
>
> Thanks
>
> Michael


^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: ipset hash:ip,port not matching
  2013-06-25  6:22 ipset hash:ip,port not matching Michael Ludvig
  2013-06-25  6:33 ` Michael Ludvig
@ 2013-06-25  7:40 ` Jozsef Kadlecsik
  2013-06-25  9:05   ` Michael Ludvig
  1 sibling, 1 reply; 5+ messages in thread
From: Jozsef Kadlecsik @ 2013-06-25  7:40 UTC (permalink / raw)
  To: Michael Ludvig; +Cc: netfilter

On Tue, 25 Jun 2013, Michael Ludvig wrote:

> I'm struggling with ipset 6.11 on CentOS 6.4 (default package) where I
> can't make it match on hash:ip,port sets.
> 
> My simple testcase is (on 172.31.170.102):
> 
> ~ # ipset restore << _EOF_
> create test-ipport hash:ip,port family inet hashsize 1024 maxelem 65536
> add test-ipport 172.31.170.102,tcp:12345
> add test-ipport 172.31.170.1,tcp:12345
> _EOF_
> 
> ~ # iptables -F
> ~ # iptables -I INPUT -m set --match-set test-ipport dst -j LOG
> --log-prefix "IPSET(test-ipport,dst): "
> ~ # iptables -I INPUT -m set --match-set test-ipport src -j LOG
> --log-prefix "IPSET(test-ipport,src): "

In the rules above you specified a single direction flag for a two 
dimensional set, thus the matching returned "false". If in the first rule 
the port is the destination, then it should be:

iptables -I INPUT -m set --match-set test-ipport dst,dst -j LOG ...
 
> Then from my client 172.31.170.1 I run netcat:
> ~ # nc -p 12345 172.31.170.102 12345
> 
> On the target I can see the packets:
> 
> 16:55:40.945624 IP 172.31.170.1.12345 > 172.31.170.102.12345: Flags [S],
> seq 471135462, win 14600, options [mss 1460,sackOK,TS val 631328194 ecr
> 0,nop,wscale 7], length 0
> 16:55:40.945684 IP 172.31.170.102.12345 > 172.31.170.1.12345: Flags
> [R.], seq 0, ack 471135463, win 0, length 0
> 
> But nothing is logged. Even if I change it to DROP any other target the
> match still seems to be ignored.
> 
> With hash:ip it works but as soon as I use one of the port-hashes it fails.
> 
> What am I doing wrong?

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: ipset hash:ip,port not matching
  2013-06-25  7:40 ` Jozsef Kadlecsik
@ 2013-06-25  9:05   ` Michael Ludvig
  2013-06-25  9:30     ` Jozsef Kadlecsik
  0 siblings, 1 reply; 5+ messages in thread
From: Michael Ludvig @ 2013-06-25  9:05 UTC (permalink / raw)
  To: Jozsef Kadlecsik; +Cc: netfilter

On 25/06/13 19:40, Jozsef Kadlecsik wrote:
> On Tue, 25 Jun 2013, Michael Ludvig wrote:
>
>> ~ # iptables -I INPUT -m set --match-set test-ipport dst -j LOG
>> --log-prefix "IPSET(test-ipport,dst): "
>> ~ # iptables -I INPUT -m set --match-set test-ipport src -j LOG
>> --log-prefix "IPSET(test-ipport,src): "
> In the rules above you specified a single direction flag for a two 
> dimensional set, thus the matching returned "false". If in the first rule 
> the port is the destination, then it should be:
>
> iptables -I INPUT -m set --match-set test-ipport dst,dst -j LOG ...

Thanks! I didn't know I'm supposed to specify the direction for each
dimension of the set. That actually makes it quite flexible.

Is it possible to make iptables fail when there are not enough src's and
dst's in the command? To let users know there's something wrong.

Cheers

Michael

^ permalink raw reply	[flat|nested] 5+ messages in thread

* Re: ipset hash:ip,port not matching
  2013-06-25  9:05   ` Michael Ludvig
@ 2013-06-25  9:30     ` Jozsef Kadlecsik
  0 siblings, 0 replies; 5+ messages in thread
From: Jozsef Kadlecsik @ 2013-06-25  9:30 UTC (permalink / raw)
  To: Michael Ludvig; +Cc: netfilter

On Tue, 25 Jun 2013, Michael Ludvig wrote:

> On 25/06/13 19:40, Jozsef Kadlecsik wrote:
> > On Tue, 25 Jun 2013, Michael Ludvig wrote:
> >
> >> ~ # iptables -I INPUT -m set --match-set test-ipport dst -j LOG
> >> --log-prefix "IPSET(test-ipport,dst): "
> >> ~ # iptables -I INPUT -m set --match-set test-ipport src -j LOG
> >> --log-prefix "IPSET(test-ipport,src): "
> > In the rules above you specified a single direction flag for a two 
> > dimensional set, thus the matching returned "false". If in the first rule 
> > the port is the destination, then it should be:
> >
> > iptables -I INPUT -m set --match-set test-ipport dst,dst -j LOG ...
> 
> Thanks! I didn't know I'm supposed to specify the direction for each
> dimension of the set. That actually makes it quite flexible.
> 
> Is it possible to make iptables fail when there are not enough src's and
> dst's in the command? To let users know there's something wrong.

The set match and target check the existence of the set only, and don't 
verify the dimension of the set and the number of the direction flags. 
This is due to the list set type: in that case the direction flags are 
passed to the members, which may change runtime anytime.

The match and target could verify the directions for other set types, 
though. It'd need a protocol change because the required information is 
not passed in either direction at checking time.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 5+ messages in thread

end of thread, other threads:[~2013-06-25  9:30 UTC | newest]

Thread overview: 5+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2013-06-25  6:22 ipset hash:ip,port not matching Michael Ludvig
2013-06-25  6:33 ` Michael Ludvig
2013-06-25  7:40 ` Jozsef Kadlecsik
2013-06-25  9:05   ` Michael Ludvig
2013-06-25  9:30     ` Jozsef Kadlecsik

This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.