ipporthash doesn't work ( ipset-2.3.0, iptables-1.3.8-15, kernel-2.6.22.3-7-bigsmp, SuSE 10.3 Beta2)

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

* ipporthash doesn't work ( ipset-2.3.0, iptables-1.3.8-15, kernel-2.6.22.3-7-bigsmp, SuSE 10.3 Beta2)
@ 2007-09-04 22:16 Hung Lin
  2007-09-05  9:49 ` Jozsef Kadlecsik
  0 siblings, 1 reply; 3+ messages in thread
From: Hung Lin @ 2007-09-04 22:16 UTC (permalink / raw)
  To: netfilter-devel

Hi, 

I compiled and installed ipset-2.3.0, I found the iphash worked fine but ipporthash acted wired.  Here's the scenario:


suse10-3:~ # ipset -N set1 ipporthash --network 10.1.0.0/16
suse10-3:~ # ipset -A set1 10.1.5.28:7
suse10-3:~ # ipset -nL
Name: set1
Type: ipporthash
References: 0
Default binding:
Header: from: 10.1.0.0 to: 10.1.255.255 hashsize: 1024 probes: 8 resize: 50
Members:
10.1.5.28:7
Bindings:
suse10-3:~ # iptables -nvL
Chain INPUT (policy ACCEPT 5590 packets, 418K bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination

Chain OUTPUT (policy ACCEPT 4143 packets, 798K bytes)
 pkts bytes target     prot opt in     out     source               destination

suse10-3:~ # iptables -I INPUT -m set --set set1 src,dst -j DROP


After I insert the iptables rule, I cannot ssh to that machine but I can ping it (I tried from different ips: 172.16.1.121, 10.1.5.27, and 10.1.5.28.).  It's not the correct behavior.  I suppose the commands I ran should block the package from 10.1.5.28 to the port 7.  But it seems to block every IP to the port 22.


P.S. 

I used patch-o-maic-ng-20070828.tar.bz2 downloaded from http://ipset.netfilter.org/ to patch the kernel (2.6.22.3-7) of SuSE 10.3 beta2

The iptables version is 1.3.8-15 and ipset version is 2.3.0






Thanks for your time

Hung Lin

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: ipporthash doesn't work ( ipset-2.3.0, iptables-1.3.8-15, kernel-2.6.22.3-7-bigsmp, SuSE 10.3 Beta2)
  2007-09-04 22:16 ipporthash doesn't work ( ipset-2.3.0, iptables-1.3.8-15, kernel-2.6.22.3-7-bigsmp, SuSE 10.3 Beta2) Hung Lin
@ 2007-09-05  9:49 ` Jozsef Kadlecsik
  2007-09-05 10:27   ` Jozsef Kadlecsik
  0 siblings, 1 reply; 3+ messages in thread
From: Jozsef Kadlecsik @ 2007-09-05  9:49 UTC (permalink / raw)
  To: Hung Lin; +Cc: netfilter-devel

Hi,

On Tue, 4 Sep 2007, Hung Lin wrote:

> I compiled and installed ipset-2.3.0, I found the iphash worked fine but 
> ipporthash acted wired.  Here's the scenario:
>
> suse10-3:~ # ipset -N set1 ipporthash --network 10.1.0.0/16
> suse10-3:~ # ipset -A set1 10.1.5.28:7
> suse10-3:~ # iptables -nvL
> Chain INPUT (policy ACCEPT 5590 packets, 418K bytes)
> pkts bytes target     prot opt in     out     source               destination
>
> Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
> pkts bytes target     prot opt in     out     source               destination
>
> Chain OUTPUT (policy ACCEPT 4143 packets, 798K bytes)
> pkts bytes target     prot opt in     out     source               destination
>
> suse10-3:~ # iptables -I INPUT -m set --set set1 src,dst -j DROP
>
> After I insert the iptables rule, I cannot ssh to that machine but I can 
> ping it (I tried from different ips: 172.16.1.121, 10.1.5.27, and 
> 10.1.5.28.).  It's not the correct behavior.  I suppose the commands I 
> ran should block the package from 10.1.5.28 to the port 7.  But it seems 
> to block every IP to the port 22.

I'm unable to reproduce it. The set and rules just work as expected.

Please try to use

iptables -I INPUT -m set --set set1 src,dst -j LOG

instead and check your logs.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
           H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 3+ messages in thread

* Re: ipporthash doesn't work ( ipset-2.3.0, iptables-1.3.8-15, kernel-2.6.22.3-7-bigsmp, SuSE 10.3 Beta2)
  2007-09-05  9:49 ` Jozsef Kadlecsik
@ 2007-09-05 10:27   ` Jozsef Kadlecsik
  0 siblings, 0 replies; 3+ messages in thread
From: Jozsef Kadlecsik @ 2007-09-05 10:27 UTC (permalink / raw)
  To: Hung Lin; +Cc: netfilter-devel

On Wed, 5 Sep 2007, Jozsef Kadlecsik wrote:

>> After I insert the iptables rule, I cannot ssh to that machine but I can 
>> ping it (I tried from different ips: 172.16.1.121, 10.1.5.27, and 
>> 10.1.5.28.).  It's not the correct behavior.  I suppose the commands I ran 
>> should block the package from 10.1.5.28 to the port 7.  But it seems to 
>> block every IP to the port 22.
>
> I'm unable to reproduce it. The set and rules just work as expected.

Ouch! Out of range condition wrongly interpreted as 'yes' instead of 'no'.
The fix is already in the svn repository, the updated patch-o-matic 
shapshot will be out at the ipset site at afternoon.
Thank you for spotting this nasty bug.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@sunserv.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
           H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 3+ messages in thread

end of thread, other threads:[~2007-09-05 10:27 UTC | newest]

Thread overview: 3+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2007-09-04 22:16 ipporthash doesn't work ( ipset-2.3.0, iptables-1.3.8-15, kernel-2.6.22.3-7-bigsmp, SuSE 10.3 Beta2) Hung Lin
2007-09-05  9:49 ` Jozsef Kadlecsik
2007-09-05 10:27   ` Jozsef Kadlecsik

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).