From: Mr Dash Four <mr.dash.four@googlemail.com>
To: Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>
Cc: netfilter@vger.kernel.org
Subject: Re: ipset 6.6 bug: subnet (mis)matching
Date: Wed, 08 Jun 2011 11:07:58 +0100 [thread overview]
Message-ID: <4DEF49FE.4080708@googlemail.com> (raw)
In-Reply-To: <alpine.DEB.2.00.1106080859230.31443@blackhole.kfki.hu>
>> [root@test1 ~]# ipset n test hash:net family inet timeout 0
>> [root@test1 ~]# ipset a test 10.16.0.0-10.16.255.255
>> [root@test1 ~]# ipset l test
>> Name: test
>> Type: hash:net
>> Header: family inet hashsize 1024 maxelem 65536 timeout 0
>> Size in memory: 16832
>> References: 0
>> Members:
>> 10.16.0.0/16 timeout 0
>> [root@test1 ~]# ipset t test 10.16.224.0/24
>> 10.16.224.0/24 is NOT in set test.
>> [root@test1 ~]# ipset t test 10.16.224.1
>> 10.16.224.1 is in set test.
>>
>> That is plainly wrong!
>>
>
> No, that's a feature: it makes possible to check from userspace how the
> kernel would match an IP address in the set.
You can't be serious! How could this be a "feature"?! It is a bug, clearly!
The /24 subnet (10.16.224.0-10.16.224.255) clearly covers the single IP
address (10.16.224.1) and the test should be positive in both cases, as
the /16 member of the set (10.16.0.0-10.16.255.255) covers both the
single IP address as well as the /24subnet range tested. Apparently,
that seems not to be the case. How am I suppose to test subnet ranges then?
I presume if I have 10.16.224.0/24 as a member and do a test with
10.16.0.0/16 that would also return a negative match, isn't that the case?
> Maybe it's badly worded in
> the manpage: "When testing entries, if a host address is tested, then the
> kernel tries to match the host address in the networks added to the set
> and reports the result accordingly."
>
That's all well and good for hosts, but ip ranges should either be
tested properly or testing of those should be disabled altogether
(which, if introduced, would be a severe restriction for me - I am not
going to run a couple of thousand "ipset t" tests just to see that all
of the single IP addresses in the range I am interested in match - that
simply isn't going to happen!).
next prev parent reply other threads:[~2011-06-08 10:07 UTC|newest]
Thread overview: 10+ messages / expand[flat|nested] mbox.gz Atom feed top
2011-05-24 8:48 [ANNOUNCE] ipset 6.6 released Jozsef Kadlecsik
2011-05-24 11:09 ` Mr Dash Four
2011-05-24 11:44 ` Jozsef Kadlecsik
2011-06-08 1:17 ` ipset 6.6 bug: subnet (mis)matching Mr Dash Four
2011-06-08 7:07 ` Jozsef Kadlecsik
2011-06-08 10:07 ` Mr Dash Four [this message]
2011-06-08 10:46 ` Jozsef Kadlecsik
2011-06-08 11:21 ` Mr Dash Four
2011-06-08 11:43 ` Jozsef Kadlecsik
2011-06-08 12:12 ` Mr Dash Four
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=4DEF49FE.4080708@googlemail.com \
--to=mr.dash.four@googlemail.com \
--cc=kadlec@blackhole.kfki.hu \
--cc=netfilter@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox