ipset nomatch not showing

ipset nomatch not showing

[Mr Dash Four]

If I create a set using the following set of statements:

ipset n test-net hash:net family inet timeout 0 hashsize 64
ipset a test-net 10.1.1.0/24
ipset a test-net 10.1.1.2 nomatch

and then issue "ipset l test-net" I get this:
Header: family inet hashsize 64 maxelem 65536 timeout 0
Size in memory: 924
References: 0
Members:
10.1.1.0/24 timeout 0
10.1.1.2 timeout 0

It is not clear whether the "nomatch" option on the 10.1.1.2 member I 
used above is in fact non matching. Am I missing something?

Also, a minor nitpick on some of the help text displayed using "ipset help":
-n
        When listing, list just setnames from kernel.

It should be "When listing, just list setnames from the kernel."

-!
        Ignore errors when creating already created sets,
        when adding already existing elements
        or when deleting non-existing elements.

It should be "Ignore errors when creating or adding sets or elements 
that do exist or when deleting elements that don't exist."

Re: ipset nomatch not showing

[Jozsef Kadlecsik]

On Fri, 23 Mar 2012, Mr Dash Four wrote:

> If I create a set using the following set of statements:
> 
> ipset n test-net hash:net family inet timeout 0 hashsize 64
> ipset a test-net 10.1.1.0/24
> ipset a test-net 10.1.1.2 nomatch
> 
> and then issue "ipset l test-net" I get this:
> Header: family inet hashsize 64 maxelem 65536 timeout 0
> Size in memory: 924
> References: 0
> Members:
> 10.1.1.0/24 timeout 0
> 10.1.1.2 timeout 0

I can't reproduce this. What is your kernel version, ipset version and how 
did you install the ipset kernel modules: from the ipset package or the 
modules came together with the kernel.
 
> It is not clear whether the "nomatch" option on the 10.1.1.2 member I 
> used above is in fact non matching. Am I missing something?
> 
> Also, a minor nitpick on some of the help text displayed using "ipset help":
> -n
>        When listing, list just setnames from kernel.
> 
> It should be "When listing, just list setnames from the kernel."
> 
> -!
>        Ignore errors when creating already created sets,
>        when adding already existing elements
>        or when deleting non-existing elements.
> 
> It should be "Ignore errors when creating or adding sets or elements that do
> exist or when deleting elements that don't exist."

Thanks, I correct the help text messages.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

Re: ipset nomatch not showing

[Mr Dash Four]

> I can't reproduce this. What is your kernel version,
3.2

>  ipset version
ipset v6.11, protocol version: 6

>  and how 
> did you install the ipset kernel modules: from the ipset package or the 
> modules came together with the kernel.
>   
Used the kernel modules, but applied a patch to bring them up to v6.11 
level (can include that patch if you need it - just let me know). ipset 
executable has been built separately, using the v6.11 sources as released.

> Thanks, I correct the help text messages.
>   
Pleasure!

Re: ipset nomatch not showing

[Jozsef Kadlecsik]

On Fri, 23 Mar 2012, Mr Dash Four wrote:

> > I can't reproduce this. What is your kernel version,
> 3.2
> 
> >  ipset version
> ipset v6.11, protocol version: 6
> 
> >  and how did you install the ipset kernel modules: from the ipset package or
> > the modules came together with the kernel.
> >   
> Used the kernel modules, but applied a patch to bring them up to v6.11 level
> (can include that patch if you need it - just let me know). ipset executable
> has been built separately, using the v6.11 sources as released.

Could you send me then the patch?

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
          H-1525 Budapest 114, POB. 49, Hungary

Re: ipset nomatch not showing

[Mr Dash Four]

> Could you send me then the patch?
>   
OK, I am posting this for future reference - as it turned out, for some 
reason the method I used to compile/build the kernel modules which form 
part of ipset was not up to scratch ("cp -al" has a lot to answer for!) 
and, apparently, 2 vital files/patches were missed: 
kernel/include/linux/netfilter/ipset/ip_set_ahash.h as well as a hunk in 
net/netfilter/ipset/pfxlen.c.

The kernel compilation miraculously succeeded, but I was not able to use 
the nomatch option, until I fixed the error thanks to Jozsef's help and 
assistance.

-bash-4.1# ipset a test-net 10.1.2.7 timeout 0 nomatch
-bash-4.1# ipset l test-net
Name: test-net
Type: hash:net
Header: family inet hashsize 64 maxelem 5 timeout 0
Size in memory: 924
References: 18
Members:
10.1.2.7 timeout 0 nomatch
10.1.2.0/24 timeout 0
-bash-4.1# ipset t test-net 10.1.2.7
10.1.2.7 is NOT in set test-net.

So, it all works now!