From: Mr Dash Four <mr.dash.four@googlemail.com>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: netfilter@vger.kernel.org
Subject: Re: ipporthash, ipportiphash, ipportnethash problems
Date: Fri, 01 Oct 2010 12:22:54 +0100 [thread overview]
Message-ID: <4CA5C48E.9010603@googlemail.com> (raw)
In-Reply-To: <alpine.DEB.2.00.1010010913200.11563@blackhole.kfki.hu>
> You should provide at least the following: kernel, iptables, ipset version
> numbers, the iptables rules and the (non)matching sets with the elements.
> Without exact details I cannot help.
>
kernel-2.6.34.7-56.fc13.x86_64
iptables-1.4.7-2.fc13.x86_64
ipset 4.3
xtables-addons 1.29
For the purpose of this small test, I am initiating a connection from
the local machine (10.1.2.7, network 10.1.2.0/24) to my other machine
(10.1.1.3, network 10.1.1.0/24) over ssh (port 22) and ask iptables to
match that and log it to the syslog.
1. IP,port hash (non)match (trying to match source IP 10.1.2.7 with
destination port 22)
ipset -N double-set ipporthash --network 10.1.2.0/24
ipset -A double-set 10.1.2.7,22
ipset -L double-set
==================
Name: double-set
Type: ipporthash
References: 0
Header: from: 10.1.2.0 to: 10.1.2.255 hashsize: 1024 probes: 8 resize: 50
Members:
10.1.2.7,22
==================
iptables -A fw2net -p 6 -m set --match-set double-set src,dst -d
10.1.1.3 -g log0
==================
Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
0 0 blackout all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID,NEW
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 log0 tcp -- * * 0.0.0.0/0
10.1.1.3 [goto] match-set double-set src,dst
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
==================
After initiating a connection to 10.1.1.3:22 (check for matches):
==================
Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
7 520 blackout all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID,NEW
11 1473 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 log0 tcp -- * * 0.0.0.0/0
10.1.1.3 [goto] match-set double-set src,dst
7 520 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
==================
As you can see - there are NO matches!
2. IP,port,IP hash (non)match (trying to match source IP 10.1.2.7 with
destination port 22 and destination IP 10.1.1.3)
ipset -N tripple-set ipportiphash --network 10.1.2.0/24
ipset -A tripple-set 10.1.2.7,22,10.1.1.3
ipset -L tripple-set
==================
Name: tripple-set
Type: ipportiphash
References: 0
Header: from: 10.1.2.0 to: 10.1.2.255 hashsize: 1024 probes: 8 resize: 50
Members:
10.1.2.7,22,10.1.1.3
==================
iptables -A fw2net -p 6 -m set --match-set tripple-set src,dst,dst -g log0
==================
Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
0 0 blackout all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID,NEW
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 log0 tcp -- * * 0.0.0.0/0
0.0.0.0/0 [goto] match-set tripple-set src,dst,dst
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
==================
After initiating a connection to 10.1.1.3:22 (check for matches):
==================
Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
6 412 blackout all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID,NEW
10 1397 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 log0 tcp -- * * 0.0.0.0/0
0.0.0.0/0 [goto] match-set tripple-set src,dst,dst
6 412 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
==================
As you can see - there are NO matches!
3. IP,port,IP/cidr (non)match (trying to match source IP 10.1.2.7 with
destination port 22 and destination subnet 10.1.1.0/24)
ipset -N tripple-set ipportnethash --network 10.1.2.0/24
ipset -A tripple-set 10.1.2.7,22,10.1.1.0/24
ipset -L tripple-set
==================
Name: tripple-set
Type: ipportnethash
References: 0
Header: from: 10.1.2.0 to: 10.1.2.255 hashsize: 1024 probes: 8 resize: 50
Members:
10.1.2.7,22,10.1.1.0/24
==================
iptables -A fw2net -p 6 -m set --match-set tripple-set src,dst,dst -g log0
==================
Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
0 0 blackout all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID,NEW
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 log0 tcp -- * * 0.0.0.0/0
0.0.0.0/0 [goto] match-set tripple-set src,dst,dst
0 0 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
==================
After initiating a connection to 10.1.1.3:22 (check for matches):
==================
Chain fw2net (1 references)
pkts bytes target prot opt in out source
destination
6 412 blackout all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate INVALID,NEW
11 1473 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0 ctstate RELATED,ESTABLISHED
0 0 log0 tcp -- * * 0.0.0.0/0
0.0.0.0/0 [goto] match-set tripple-set src,dst,dst
6 412 ACCEPT all -- * * 0.0.0.0/0
0.0.0.0/0
==================
As you can see - there are NO matches!
So, in all three scenarios above there are NO matches! As I already
indicated - 1) I assume when I reverse the src and dst combinations in
all three scenarios above the result would be the same; and 2) When I
split up the above sets in the way I already indicated in my initial
post on this thread I am getting the correct matches, which leads me to
believe that either xtables has a bug and can't handle mixed src,dst
designations in the same set, or, I am doing something wrong. Which is it?
next prev parent reply other threads:[~2010-10-01 11:22 UTC|newest]
Thread overview: 20+ messages / expand[flat|nested] mbox.gz Atom feed top
2010-09-30 22:03 ipporthash, ipportiphash, ipportnethash problems Mr Dash Four
2010-10-01 7:18 ` Jozsef Kadlecsik
2010-10-01 11:22 ` Mr Dash Four [this message]
2010-10-01 21:05 ` Jozsef Kadlecsik
2010-10-02 10:36 ` Mr Dash Four
2010-10-02 19:21 ` Jozsef Kadlecsik
2010-10-02 20:08 ` Mr Dash Four
2010-10-02 20:40 ` Jan Engelhardt
2010-10-02 20:54 ` Mr Dash Four
2010-10-02 21:06 ` Jan Engelhardt
2010-10-03 18:57 ` Jozsef Kadlecsik
2010-10-03 22:02 ` Mr Dash Four
2010-10-02 20:35 ` Mr Dash Four
2010-10-03 19:13 ` Jozsef Kadlecsik
2010-10-03 22:04 ` Mr Dash Four
2010-10-04 9:36 ` Jozsef Kadlecsik
2010-10-06 14:23 ` Mr Dash Four
2010-10-06 14:37 ` Mike Wright
2010-10-06 15:26 ` Mr Dash Four
2010-10-06 19:57 ` Jozsef Kadlecsik
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4CA5C48E.9010603@googlemail.com \
--to=mr.dash.four@googlemail.com \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox