* ipset: hash:*net* doesnt match after entry removal (both inet, inet6 families)
@ 2013-06-20 12:09 Sergey Popovich
0 siblings, 0 replies; only message in thread
From: Sergey Popovich @ 2013-06-20 12:09 UTC (permalink / raw)
To: netdev
Hello!
Deploying ip6?tables filtering rules on one of our server we spot following
issue using Linux kernel 3.9.6 and ipset 6.19 as userlang and hash:*set* set
type:
Deleting previously added network prefix longer than any prefix, that already
in set, causes future lookups on remaining prefixes not to match (both using
ipset(8) test command and ip6?tables(8) "set" match, on any hash:*net* set
type).
Tested on the following configurations:
1. v3.9.6, ipset 6.19 (also 6.12.1) : reproduced
2. v3.8.13(EOL), ipset 6.12.1 : reproduced
3. v3.2.46, ipset 6.12.1 : not reproducable
Both IPv4 and IPv6 are affected.
Steps to reproduce (using ipset(8) test command for simplicity):
--------------------------------------------------------------------------------
#!/bin/bash -v
## Create ipset for inet AFI
ipset create set-v4 hash:net family inet
## Add 192.168.1.0/24 prefix to set and check
ipset add set-v4 192.168.1.0/24
ipset test set-v4 192.168.1.0
192.168.1.0 is in set set-v4.
ipset test set-v4 192.168.1.255
192.168.1.255 is in set set-v4.
## Add 172.16.1.0/25 prefix to set and check
ipset add set-v4 172.16.1.0/25
ipset test set-v4 192.168.1.0
192.168.1.0 is in set set-v4.
ipset test set-v4 192.168.1.255
192.168.1.255 is in set set-v4.
ipset test set-v4 172.16.1.0
172.16.1.0 is in set set-v4.
ipset test set-v4 172.16.1.127
172.16.1.127 is in set set-v4.
## List set-v4 contents
ipset list set-v4
Name: set-v4
Type: hash:net
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16824
References: 0
Members:
172.16.1.0/25
192.168.1.0/24
## Delete longer (more specific) prefix from the set
ipset del set-v4 172.16.1.0/25
## And test again remaining prefixes
ipset test set-v4 192.168.1.0
192.168.1.0 is NOT in set set-v4.
ipset test set-v4 192.168.1.255
192.168.1.255 is NOT in set set-v4.
## List set-v4 contents
ipset list set-v4
Name: set-v4
Type: hash:net
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 16824
References: 0
Members:
192.168.1.0/24
## Destroy set-v4
ipset destroy set-v4
--
SP5474-RIPE
Sergey Popovich
^ permalink raw reply [flat|nested] only message in thread
only message in thread, other threads:[~2013-06-20 12:16 UTC | newest]
Thread overview: (only message) (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2013-06-20 12:09 ipset: hash:*net* doesnt match after entry removal (both inet, inet6 families) Sergey Popovich
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.