* ipset issues
@ 2016-05-25 20:42 Art Emius
2016-05-25 20:58 ` Jozsef Kadlecsik
0 siblings, 1 reply; 6+ messages in thread
From: Art Emius @ 2016-05-25 20:42 UTC (permalink / raw)
To: netfilter
Hello guys,
Recently I've encountered an issue with using ipset in my firewall.
I use Debian Linux 8.4, running in virtual machine inside ESXi 5.5.
My host is 192.168.1.2, remote host is 192.168.1.1.
I'm running ssh server on my host and want to limit access to it using
one rule with two sets of different types like this:
iptables -t filter -A INPUT -m set --match-set NETS_IFACE src,src -m
set --match-set SSH src,dst,dst -j ACCEPT
iptables -p OUTPUT ACCEPT
ipset create SSH hash:ip,port,ip hashsize 8 maxelem 8 family inet
ipset add SSH 192.168.1.1,tcp:22,192.168.1.2
ipset create NETS_IFACE hash:net,iface hashsize 128 maxelem 128 family inet
ipset add NETS_IFACE 192.168.1.0/24,eth1
It doesn't work this way. eth1 really exists and handle traffic.
But If I use rule like this it works fine.
iptables -t filter -A INPUT -i eth1 -m set --match-set SSH src,dst,dst -j ACCEPT
What am I doing wrong?
Regards,
Art
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: ipset issues
2016-05-25 20:42 ipset issues Art Emius
@ 2016-05-25 20:58 ` Jozsef Kadlecsik
2016-05-28 19:09 ` Art Emius
0 siblings, 1 reply; 6+ messages in thread
From: Jozsef Kadlecsik @ 2016-05-25 20:58 UTC (permalink / raw)
To: Art Emius; +Cc: netfilter
On Wed, 25 May 2016, Art Emius wrote:
> Recently I've encountered an issue with using ipset in my firewall.
>
> I use Debian Linux 8.4, running in virtual machine inside ESXi 5.5.
> My host is 192.168.1.2, remote host is 192.168.1.1.
> I'm running ssh server on my host and want to limit access to it using
> one rule with two sets of different types like this:
>
> iptables -t filter -A INPUT -m set --match-set NETS_IFACE src,src -m
> set --match-set SSH src,dst,dst -j ACCEPT
> iptables -p OUTPUT ACCEPT
>
> ipset create SSH hash:ip,port,ip hashsize 8 maxelem 8 family inet
> ipset add SSH 192.168.1.1,tcp:22,192.168.1.2
>
> ipset create NETS_IFACE hash:net,iface hashsize 128 maxelem 128 family inet
> ipset add NETS_IFACE 192.168.1.0/24,eth1
You should use "--match-set NETS_IFACE src,dst" in the rule above if you
want to limit the access to the traffic from the 192.168.1.0/24 subnet
received on interface eth1 only.
> It doesn't work this way. eth1 really exists and handle traffic.
> But If I use rule like this it works fine.
> iptables -t filter -A INPUT -i eth1 -m set --match-set SSH src,dst,dst -j ACCEPT
Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
H-1525 Budapest 114, POB. 49, Hungary
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: ipset issues
2016-05-25 20:58 ` Jozsef Kadlecsik
@ 2016-05-28 19:09 ` Art Emius
2016-05-30 19:19 ` Jozsef Kadlecsik
0 siblings, 1 reply; 6+ messages in thread
From: Art Emius @ 2016-05-28 19:09 UTC (permalink / raw)
To: Jozsef Kadlecsik; +Cc: netfilter
Hello Jozsef,
Thanks for reply.
This makes me feel confused, but seems it doesn't work at all. I've
tried both src,src and src,dst parameters. Still I see packets are
being dropped. But I use -i / -o in iptables rules it works fine.
2016-05-25 23:58 GMT+03:00 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>:
> On Wed, 25 May 2016, Art Emius wrote:
>
>> Recently I've encountered an issue with using ipset in my firewall.
>>
>> I use Debian Linux 8.4, running in virtual machine inside ESXi 5.5.
>> My host is 192.168.1.2, remote host is 192.168.1.1.
>> I'm running ssh server on my host and want to limit access to it using
>> one rule with two sets of different types like this:
>>
>> iptables -t filter -A INPUT -m set --match-set NETS_IFACE src,src -m
>> set --match-set SSH src,dst,dst -j ACCEPT
>> iptables -p OUTPUT ACCEPT
>>
>> ipset create SSH hash:ip,port,ip hashsize 8 maxelem 8 family inet
>> ipset add SSH 192.168.1.1,tcp:22,192.168.1.2
>>
>> ipset create NETS_IFACE hash:net,iface hashsize 128 maxelem 128 family inet
>> ipset add NETS_IFACE 192.168.1.0/24,eth1
>
> You should use "--match-set NETS_IFACE src,dst" in the rule above if you
> want to limit the access to the traffic from the 192.168.1.0/24 subnet
> received on interface eth1 only.
>
>> It doesn't work this way. eth1 really exists and handle traffic.
>> But If I use rule like this it works fine.
>> iptables -t filter -A INPUT -i eth1 -m set --match-set SSH src,dst,dst -j ACCEPT
>
> Best regards,
> Jozsef
> -
> E-mail : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
> PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
> Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
> H-1525 Budapest 114, POB. 49, Hungary
--
Art & Emius
www.emius.ru
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: ipset issues
2016-05-28 19:09 ` Art Emius
@ 2016-05-30 19:19 ` Jozsef Kadlecsik
2016-05-31 10:25 ` Pablo Neira Ayuso
0 siblings, 1 reply; 6+ messages in thread
From: Jozsef Kadlecsik @ 2016-05-30 19:19 UTC (permalink / raw)
To: Art Emius; +Cc: netfilter
Hello,
On Sat, 28 May 2016, Art Emius wrote:
> This makes me feel confused, but seems it doesn't work at all. I've
> tried both src,src and src,dst parameters. Still I see packets are being
> dropped. But I use -i / -o in iptables rules it works fine.
Sorry, I messed up the parameters.
I think your kernel does not contain the patch
commit ef5b6e127761667f78d99b7510a3876077fe9abe
Author: Florian Westphal <fw@strlen.de>
Date: Sun Jun 17 09:56:46 2012 +0000
netfilter: ipset: fix interface comparision in hash-netiface sets
ifname_compare() assumes that skb->dev is zero-padded,
e.g 'eth1\0\0\0\0\0...'. This isn't always the case. e1000 driver does
strncpy(netdev->name, pci_name(pdev), sizeof(netdev->name) - 1);
in e1000_probe(), so once device is registered dev->name memory contains
'eth1\0:0:3\0\0\0' (or something like that), which makes eth1 compare
fail.
Use plain strcmp() instead.
which went into the kernel v4.2. I assume it was not backported into older
kernel releases.
Best regards,
Jozsef
> 2016-05-25 23:58 GMT+03:00 Jozsef Kadlecsik <kadlec@blackhole.kfki.hu>:
> > On Wed, 25 May 2016, Art Emius wrote:
> >
> >> Recently I've encountered an issue with using ipset in my firewall.
> >>
> >> I use Debian Linux 8.4, running in virtual machine inside ESXi 5.5.
> >> My host is 192.168.1.2, remote host is 192.168.1.1.
> >> I'm running ssh server on my host and want to limit access to it using
> >> one rule with two sets of different types like this:
> >>
> >> iptables -t filter -A INPUT -m set --match-set NETS_IFACE src,src -m
> >> set --match-set SSH src,dst,dst -j ACCEPT
> >> iptables -p OUTPUT ACCEPT
> >>
> >> ipset create SSH hash:ip,port,ip hashsize 8 maxelem 8 family inet
> >> ipset add SSH 192.168.1.1,tcp:22,192.168.1.2
> >>
> >> ipset create NETS_IFACE hash:net,iface hashsize 128 maxelem 128 family inet
> >> ipset add NETS_IFACE 192.168.1.0/24,eth1
> >
> > You should use "--match-set NETS_IFACE src,dst" in the rule above if you
> > want to limit the access to the traffic from the 192.168.1.0/24 subnet
> > received on interface eth1 only.
> >
> >> It doesn't work this way. eth1 really exists and handle traffic.
> >> But If I use rule like this it works fine.
> >> iptables -t filter -A INPUT -i eth1 -m set --match-set SSH src,dst,dst -j ACCEPT
> >
> > Best regards,
> > Jozsef
> > -
> > E-mail : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
> > PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
> > Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
> > H-1525 Budapest 114, POB. 49, Hungary
>
>
>
> --
> Art & Emius
> www.emius.ru
>
-
E-mail : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
H-1525 Budapest 114, POB. 49, Hungary
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: ipset issues
2016-05-30 19:19 ` Jozsef Kadlecsik
@ 2016-05-31 10:25 ` Pablo Neira Ayuso
2016-05-31 11:05 ` Jozsef Kadlecsik
0 siblings, 1 reply; 6+ messages in thread
From: Pablo Neira Ayuso @ 2016-05-31 10:25 UTC (permalink / raw)
To: Jozsef Kadlecsik; +Cc: Art Emius, netfilter
On Mon, May 30, 2016 at 09:19:34PM +0200, Jozsef Kadlecsik wrote:
> Hello,
>
> On Sat, 28 May 2016, Art Emius wrote:
>
> > This makes me feel confused, but seems it doesn't work at all. I've
> > tried both src,src and src,dst parameters. Still I see packets are being
> > dropped. But I use -i / -o in iptables rules it works fine.
>
> Sorry, I messed up the parameters.
>
> I think your kernel does not contain the patch
>
> commit ef5b6e127761667f78d99b7510a3876077fe9abe
> Author: Florian Westphal <fw@strlen.de>
> Date: Sun Jun 17 09:56:46 2012 +0000
>
> netfilter: ipset: fix interface comparision in hash-netiface sets
>
> ifname_compare() assumes that skb->dev is zero-padded,
> e.g 'eth1\0\0\0\0\0...'. This isn't always the case. e1000 driver does
>
> strncpy(netdev->name, pci_name(pdev), sizeof(netdev->name) - 1);
>
> in e1000_probe(), so once device is registered dev->name memory contains
> 'eth1\0:0:3\0\0\0' (or something like that), which makes eth1 compare
> fail.
>
> Use plain strcmp() instead.
>
> which went into the kernel v4.2. I assume it was not backported into older
> kernel releases.
This seems to apply cleanly against 3.2.x and 3.4.x.
I can request -stable submission for these two.
^ permalink raw reply [flat|nested] 6+ messages in thread
* Re: ipset issues
2016-05-31 10:25 ` Pablo Neira Ayuso
@ 2016-05-31 11:05 ` Jozsef Kadlecsik
0 siblings, 0 replies; 6+ messages in thread
From: Jozsef Kadlecsik @ 2016-05-31 11:05 UTC (permalink / raw)
To: Pablo Neira Ayuso; +Cc: Art Emius, netfilter
Hi Pablo,
On Tue, 31 May 2016, Pablo Neira Ayuso wrote:
> On Mon, May 30, 2016 at 09:19:34PM +0200, Jozsef Kadlecsik wrote:
> >
> > On Sat, 28 May 2016, Art Emius wrote:
> >
> > > This makes me feel confused, but seems it doesn't work at all. I've
> > > tried both src,src and src,dst parameters. Still I see packets are being
> > > dropped. But I use -i / -o in iptables rules it works fine.
> >
> > Sorry, I messed up the parameters.
> >
> > I think your kernel does not contain the patch
> >
> > commit ef5b6e127761667f78d99b7510a3876077fe9abe
> > Author: Florian Westphal <fw@strlen.de>
> > Date: Sun Jun 17 09:56:46 2012 +0000
> >
> > netfilter: ipset: fix interface comparision in hash-netiface sets
> >
> > ifname_compare() assumes that skb->dev is zero-padded,
> > e.g 'eth1\0\0\0\0\0...'. This isn't always the case. e1000 driver does
> >
> > strncpy(netdev->name, pci_name(pdev), sizeof(netdev->name) - 1);
> >
> > in e1000_probe(), so once device is registered dev->name memory contains
> > 'eth1\0:0:3\0\0\0' (or something like that), which makes eth1 compare
> > fail.
> >
> > Use plain strcmp() instead.
> >
> > which went into the kernel v4.2. I assume it was not backported into older
> > kernel releases.
>
> This seems to apply cleanly against 3.2.x and 3.4.x.
>
> I can request -stable submission for these two.
It'd be great, please request the submissions. Thanks!
Best regards,
Jozsef
-
E-mail : kadlec@blackhole.kfki.hu, kadlecsik.jozsef@wigner.mta.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : Wigner Research Centre for Physics, Hungarian Academy of Sciences
H-1525 Budapest 114, POB. 49, Hungary
^ permalink raw reply [flat|nested] 6+ messages in thread
end of thread, other threads:[~2016-05-31 11:05 UTC | newest]
Thread overview: 6+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2016-05-25 20:42 ipset issues Art Emius
2016-05-25 20:58 ` Jozsef Kadlecsik
2016-05-28 19:09 ` Art Emius
2016-05-30 19:19 ` Jozsef Kadlecsik
2016-05-31 10:25 ` Pablo Neira Ayuso
2016-05-31 11:05 ` Jozsef Kadlecsik
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.