[iptables/ipset] Bug? -m set --match-set myset src --packets-gt 2 -j ...

Linux Netfilter discussions
 help / color / mirror / Atom feed

* [iptables/ipset] Bug? -m set --match-set myset src --packets-gt 2 -j ...
@ 2023-10-16 19:22 U.Mutlu
  2023-10-16 19:54 ` Jozsef Kadlecsik
  0 siblings, 1 reply; 4+ messages in thread
From: U.Mutlu @ 2023-10-16 19:22 UTC (permalink / raw)
  To: netfilter

Hi,
could a kind soul please check why the ipset "match-set" rule below isn't working.

It jumps to the chain MY2 only if "--packets-gt 0" or
"--packets-gt 1" is used, but not for any higher values! :-)

I'm new to ipset, but this very much looks like a bug in iptables or ipset, IMHO.

firewall.sh :
-------------
#...
ipset destroy blacklist
ipset create blacklist hash:ip hashsize 4096 timeout 300 counters
ipset destroy bl2
ipset create bl2 hash:ip hashsize 4096 timeout 600 counters
#...
iptables -N MY2
#...
iptables -A MY2 -j RETURN
#...
iptables -A INPUT -j SET --exist --add-set blacklist src
iptables -A INPUT -m set --match-set blacklist src --packets-gt 2 -j MY2
#...

Thx

OS is stock Debian 11 ("bullseye"):

# iptables --version
iptables v1.8.7 (nf_tables)

# ipset --version
ipset v7.10, protocol version: 7

# uname -a
Linux p21 6.1.0-0.deb11.11-amd64 #1 SMP PREEMPT_DYNAMIC Debian 
6.1.38-4~bpo11+1 (2023-08-08) x86_64 GNU/Linux

# cat /etc/os-release
PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
NAME="Debian GNU/Linux"
VERSION_ID="11"
VERSION="11 (bullseye)"
...

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [iptables/ipset] Bug? -m set --match-set myset src --packets-gt 2 -j ...
  2023-10-16 19:22 [iptables/ipset] Bug? -m set --match-set myset src --packets-gt 2 -j U.Mutlu
@ 2023-10-16 19:54 ` Jozsef Kadlecsik
  2023-10-16 23:30   ` U.Mutlu
  0 siblings, 1 reply; 4+ messages in thread
From: Jozsef Kadlecsik @ 2023-10-16 19:54 UTC (permalink / raw)
  To: U.Mutlu; +Cc: netfilter

Hi,

On Mon, 16 Oct 2023, U.Mutlu wrote:

> could a kind soul please check why the ipset "match-set" rule below isn't
> working.
> 
> It jumps to the chain MY2 only if "--packets-gt 0" or
> "--packets-gt 1" is used, but not for any higher values! :-)
> 
> I'm new to ipset, but this very much looks like a bug in iptables or ipset,
> IMHO.
> 
> 
> firewall.sh :
> -------------
> #...
> ipset destroy blacklist
> ipset create blacklist hash:ip hashsize 4096 timeout 300 counters
> ipset destroy bl2
> ipset create bl2 hash:ip hashsize 4096 timeout 600 counters
> #...
> iptables -N MY2
> #...
> iptables -A MY2 -j RETURN
> #...
> iptables -A INPUT -j SET --exist --add-set blacklist src
> iptables -A INPUT -m set --match-set blacklist src --packets-gt 2 -j MY2

Reverse the order of the rules above. With the first one you continuously 
(re)add the elements to the set with packet number 1.

Best regards,
Jozsef

> OS is stock Debian 11 ("bullseye"):
> 
> # iptables --version
> iptables v1.8.7 (nf_tables)
> 
> # ipset --version
> ipset v7.10, protocol version: 7
> 
> # uname -a
> Linux p21 6.1.0-0.deb11.11-amd64 #1 SMP PREEMPT_DYNAMIC Debian
> 6.1.38-4~bpo11+1 (2023-08-08) x86_64 GNU/Linux
> 
> # cat /etc/os-release
> PRETTY_NAME="Debian GNU/Linux 11 (bullseye)"
> NAME="Debian GNU/Linux"
> VERSION_ID="11"
> VERSION="11 (bullseye)"
> ...
> 

-- 
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.hu
PGP key : https://wigner.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics
          H-1525 Budapest 114, POB. 49, Hungary

^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [iptables/ipset] Bug? -m set --match-set myset src --packets-gt 2 -j ...
  2023-10-16 19:54 ` Jozsef Kadlecsik
@ 2023-10-16 23:30   ` U.Mutlu
  2023-10-17  0:43     ` U.Mutlu
  0 siblings, 1 reply; 4+ messages in thread
From: U.Mutlu @ 2023-10-16 23:30 UTC (permalink / raw)
  To: Jozsef Kadlecsik; +Cc: netfilter

Jozsef, thanks. I modified it slightly, but it still doesn't work.
Can you please inspect why this is not calling the MY_MISC chain?
The adding via the MY_ADD chain works fine, but the subsequent MY_MISC isn't 
get called.

firewall.sh :
-------------
#...
ipset destroy blacklist
ipset create blacklist hash:ip hashsize 4096 timeout 300 counters

iptables -N MY_ADD
iptables -A MY_ADD -j SET --exist --add-set blacklist src
iptables -A MY_ADD -j RETURN

iptables -N MY_MISC
#...
iptables -A MY_MISC -j RETURN

#...
iptables -A INPUT -m set ! --match-set blacklist src -j MY_ADD
iptables -A INPUT -m set   --match-set blacklist src --packets-gt 2 -j MY_MISC
#...



Jozsef Kadlecsik wrote on 10/16/23 21:54:
> On Mon, 16 Oct 2023, U.Mutlu wrote:
>
>> could a kind soul please check why the ipset "match-set" rule below isn't
>> working.
>>
>> It jumps to the chain MY2 only if "--packets-gt 0" or
>> "--packets-gt 1" is used, but not for any higher values! :-)
>>
>> I'm new to ipset, but this very much looks like a bug in iptables or ipset,
>> IMHO.
>>
>>
>> firewall.sh :
>> -------------
>> #...
>> ipset destroy blacklist
>> ipset create blacklist hash:ip hashsize 4096 timeout 300 counters
>> #...
>> iptables -N MY2
>> #...
>> iptables -A MY2 -j RETURN
>> #...
>> iptables -A INPUT -j SET --exist --add-set blacklist src
>> iptables -A INPUT -m set --match-set blacklist src --packets-gt 2 -j MY2
>
> Reverse the order of the rules above. With the first one you continuously
> (re)add the elements to the set with packet number 1.


^ permalink raw reply	[flat|nested] 4+ messages in thread

* Re: [iptables/ipset] Bug? -m set --match-set myset src --packets-gt 2 -j ...
  2023-10-16 23:30   ` U.Mutlu
@ 2023-10-17  0:43     ` U.Mutlu
  0 siblings, 0 replies; 4+ messages in thread
From: U.Mutlu @ 2023-10-17  0:43 UTC (permalink / raw)
  To: Jozsef Kadlecsik; +Cc: netfilter

Problem solved!
The following command has to come at bottom , not at top:
   iptables -A INPUT -m set --match-set blacklist src -j REJECT


U.Mutlu wrote on 10/17/23 01:30:
> Jozsef, thanks. I modified it slightly, but it still doesn't work.
> Can you please inspect why this is not calling the MY_MISC chain?
> The adding via the MY_ADD chain works fine, but the subsequent MY_MISC isn't
> get called.
>
> firewall.sh :
> -------------
> #...
> ipset destroy blacklist
> ipset create blacklist hash:ip hashsize 4096 timeout 300 counters
>
> iptables -N MY_ADD
> iptables -A MY_ADD -j SET --exist --add-set blacklist src
> iptables -A MY_ADD -j RETURN
>
> iptables -N MY_MISC
> #...
> iptables -A MY_MISC -j RETURN
>
> #...
> iptables -A INPUT -m set ! --match-set blacklist src -j MY_ADD
> iptables -A INPUT -m set   --match-set blacklist src --packets-gt 2 -j MY_MISC
> #...
>
>
>
> Jozsef Kadlecsik wrote on 10/16/23 21:54:
>> On Mon, 16 Oct 2023, U.Mutlu wrote:
>>
>>> could a kind soul please check why the ipset "match-set" rule below isn't
>>> working.
>>>
>>> It jumps to the chain MY2 only if "--packets-gt 0" or
>>> "--packets-gt 1" is used, but not for any higher values! :-)
>>>
>>> I'm new to ipset, but this very much looks like a bug in iptables or ipset,
>>> IMHO.
>>>
>>>
>>> firewall.sh :
>>> -------------
>>> #...
>>> ipset destroy blacklist
>>> ipset create blacklist hash:ip hashsize 4096 timeout 300 counters
>>> #...
>>> iptables -N MY2
>>> #...
>>> iptables -A MY2 -j RETURN
>>> #...
>>> iptables -A INPUT -j SET --exist --add-set blacklist src
>>> iptables -A INPUT -m set --match-set blacklist src --packets-gt 2 -j MY2
>>
>> Reverse the order of the rules above. With the first one you continuously
>> (re)add the elements to the set with packet number 1.
>
>


^ permalink raw reply	[flat|nested] 4+ messages in thread

end of thread, other threads:[~2023-10-17  0:43 UTC | newest]

Thread overview: 4+ messages (download: mbox.gz follow: Atom feed
-- links below jump to the message on this page --
2023-10-16 19:22 [iptables/ipset] Bug? -m set --match-set myset src --packets-gt 2 -j U.Mutlu
2023-10-16 19:54 ` Jozsef Kadlecsik
2023-10-16 23:30   ` U.Mutlu
2023-10-17  0:43     ` U.Mutlu

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox