ipset hash:ip,port not matching

ipset hash:ip,port not matching

[Michael Ludvig]

Hi

I'm struggling with ipset 6.11 on CentOS 6.4 (default package) where I
can't make it match on hash:ip,port sets.

My simple testcase is (on 172.31.170.102):

~ # ipset restore << _EOF_
create test-ipport hash:ip,port family inet hashsize 1024 maxelem 65536
add test-ipport 172.31.170.102,tcp:12345
add test-ipport 172.31.170.1,tcp:12345
_EOF_

~ # iptables -F
~ # iptables -I INPUT -m set --match-set test-ipport dst -j LOG
--log-prefix "IPSET(test-ipport,dst): "
~ # iptables -I INPUT -m set --match-set test-ipport src -j LOG
--log-prefix "IPSET(test-ipport,src): "

Then from my client 172.31.170.1 I run netcat:
~ # nc -p 12345 172.31.170.102 12345

On the target I can see the packets:

16:55:40.945624 IP 172.31.170.1.12345 > 172.31.170.102.12345: Flags [S],
seq 471135462, win 14600, options [mss 1460,sackOK,TS val 631328194 ecr
0,nop,wscale 7], length 0
16:55:40.945684 IP 172.31.170.102.12345 > 172.31.170.1.12345: Flags
[R.], seq 0, ack 471135463, win 0, length 0

But nothing is logged. Even if I change it to DROP any other target the
match still seems to be ignored.

With hash:ip it works but as soon as I use one of the port-hashes it fails.

What am I doing wrong?

Thanks

Michael

Re: ipset hash:ip,port not matching

[Michael Ludvig]

On 25/06/13 18:22, Michael Ludvig wrote:
> Hi
>
> I'm struggling with ipset 6.11 on CentOS 6.4 (default package) where I
> can't make it match on hash:ip,port sets.

I managed to update ipset and iptables to the current git version but
still having the same problem. I'm sure I'm doing something wrong or
misunderstanding how to use ipset...?

Michael

> My simple testcase is (on 172.31.170.102):
>
> ~ # ipset restore << _EOF_
> create test-ipport hash:ip,port family inet hashsize 1024 maxelem 65536
> add test-ipport 172.31.170.102,tcp:12345
> add test-ipport 172.31.170.1,tcp:12345
> _EOF_
>
> ~ # iptables -F
> ~ # iptables -I INPUT -m set --match-set test-ipport dst -j LOG
> --log-prefix "IPSET(test-ipport,dst): "
> ~ # iptables -I INPUT -m set --match-set test-ipport src -j LOG
> --log-prefix "IPSET(test-ipport,src): "
>
> Then from my client 172.31.170.1 I run netcat:
> ~ # nc -p 12345 172.31.170.102 12345
>
> On the target I can see the packets:
>
> 16:55:40.945624 IP 172.31.170.1.12345 > 172.31.170.102.12345: Flags [S],
> seq 471135462, win 14600, options [mss 1460,sackOK,TS val 631328194 ecr
> 0,nop,wscale 7], length 0
> 16:55:40.945684 IP 172.31.170.102.12345 > 172.31.170.1.12345: Flags
> [R.], seq 0, ack 471135463, win 0, length 0
>
> But nothing is logged. Even if I change it to DROP any other target the
> match still seems to be ignored.
>
> With hash:ip it works but as soon as I use one of the port-hashes it fails.
>
> What am I doing wrong?
>
> Thanks
>
> Michael

Re: ipset hash:ip,port not matching

[Jozsef Kadlecsik]

On Tue, 25 Jun 2013, Michael Ludvig wrote:

> I'm struggling with ipset 6.11 on CentOS 6.4 (default package) where I
> can't make it match on hash:ip,port sets.
> 
> My simple testcase is (on 172.31.170.102):
> 
> ~ # ipset restore << _EOF_
> create test-ipport hash:ip,port family inet hashsize 1024 maxelem 65536
> add test-ipport 172.31.170.102,tcp:12345
> add test-ipport 172.31.170.1,tcp:12345
> _EOF_
> 
> ~ # iptables -F
> ~ # iptables -I INPUT -m set --match-set test-ipport dst -j LOG
> --log-prefix "IPSET(test-ipport,dst): "
> ~ # iptables -I INPUT -m set --match-set test-ipport src -j LOG
> --log-prefix "IPSET(test-ipport,src): "

In the rules above you specified a single direction flag for a two 
dimensional set, thus the matching returned "false". If in the first rule 
the port is the destination, then it should be:

iptables -I INPUT -m set --match-set test-ipport dst,dst -j LOG ...
 
> Then from my client 172.31.170.1 I run netcat:
> ~ # nc -p 12345 172.31.170.102 12345
> 
> On the target I can see the packets:
> 
> 16:55:40.945624 IP 172.31.170.1.12345 > 172.31.170.102.12345: Flags [S],
> seq 471135462, win 14600, options [mss 1460,sackOK,TS val 631328194 ecr
> 0,nop,wscale 7], length 0
> 16:55:40.945684 IP 172.31.170.102.12345 > 172.31.170.1.12345: Flags
> [R.], seq 0, ack 471135463, win 0, length 0
> 
> But nothing is logged. Even if I change it to DROP any other target the
> match still seems to be ignored.
> 
> With hash:ip it works but as soon as I use one of the port-hashes it fails.
> 
> What am I doing wrong?

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

Re: ipset hash:ip,port not matching

[Michael Ludvig]

On 25/06/13 19:40, Jozsef Kadlecsik wrote:
> On Tue, 25 Jun 2013, Michael Ludvig wrote:
>
>> ~ # iptables -I INPUT -m set --match-set test-ipport dst -j LOG
>> --log-prefix "IPSET(test-ipport,dst): "
>> ~ # iptables -I INPUT -m set --match-set test-ipport src -j LOG
>> --log-prefix "IPSET(test-ipport,src): "
> In the rules above you specified a single direction flag for a two 
> dimensional set, thus the matching returned "false". If in the first rule 
> the port is the destination, then it should be:
>
> iptables -I INPUT -m set --match-set test-ipport dst,dst -j LOG ...

Thanks! I didn't know I'm supposed to specify the direction for each
dimension of the set. That actually makes it quite flexible.

Is it possible to make iptables fail when there are not enough src's and
dst's in the command? To let users know there's something wrong.

Cheers

Michael

Re: ipset hash:ip,port not matching

[Jozsef Kadlecsik]

On Tue, 25 Jun 2013, Michael Ludvig wrote:

> On 25/06/13 19:40, Jozsef Kadlecsik wrote:
> > On Tue, 25 Jun 2013, Michael Ludvig wrote:
> >
> >> ~ # iptables -I INPUT -m set --match-set test-ipport dst -j LOG
> >> --log-prefix "IPSET(test-ipport,dst): "
> >> ~ # iptables -I INPUT -m set --match-set test-ipport src -j LOG
> >> --log-prefix "IPSET(test-ipport,src): "
> > In the rules above you specified a single direction flag for a two 
> > dimensional set, thus the matching returned "false". If in the first rule 
> > the port is the destination, then it should be:
> >
> > iptables -I INPUT -m set --match-set test-ipport dst,dst -j LOG ...
> 
> Thanks! I didn't know I'm supposed to specify the direction for each
> dimension of the set. That actually makes it quite flexible.
> 
> Is it possible to make iptables fail when there are not enough src's and
> dst's in the command? To let users know there's something wrong.

The set match and target check the existence of the set only, and don't 
verify the dimension of the set and the number of the direction flags. 
This is due to the list set type: in that case the direction flags are 
passed to the members, which may change runtime anytime.

The match and target could verify the directions for other set types, 
though. It'd need a protocol change because the required information is 
not passed in either direction at checking time.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary