[Bug 1101] New: SET target unreliable in iptables - add does not work as expected

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Fri Dec 9 10:20:49 CET 2016


            Bug ID: 1101
           Summary: SET target unreliable in iptables - add does not work
                    as expected
           Product: netfilter/iptables
           Version: unspecified
          Hardware: x86_64
                OS: Debian GNU/Linux
            Status: NEW
          Severity: major
          Priority: P5
         Component: ip_tables (kernel)
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: koetter at luis.uni-hannover.de

Created attachment 486
  --> https://bugzilla.netfilter.org/attachment.cgi?id=486&action=edit
iptables -nvL special-unused:filter

I'm with debian Jessie, 

Linux <> 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u2 (2016-10-19) x86_64
iptables v1.4.21
ipset v6.23, protocol version: 6

I use the ipset SET target to create dynamic lists of addresses to block.
The problem: the SET target fails with ~50% of the cases to add an address
properly. A subsequent match on the ipset fails - the address is not added to
the set.

To provide an example, I modified my rules to add & match subsequently - one
would expect the counters to match, but they do not.

It is possible to verify an address is not added to the set using ipset
userspace as well.
The ipset has about 20k entries, adding via ipset cli always works as expected.

The machine I'm working does quite some traffic - so it may be a race condition
and hard to reproduce.

You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20161209/25862658/attachment.html>

More information about the netfilter-buglog mailing list