[Bug 1101] New: SET target unreliable in iptables - add does not work as expected
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Fri Dec 9 10:20:49 CET 2016
https://bugzilla.netfilter.org/show_bug.cgi?id=1101
Bug ID: 1101
Summary: SET target unreliable in iptables - add does not work
as expected
Product: netfilter/iptables
Version: unspecified
Hardware: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: major
Priority: P5
Component: ip_tables (kernel)
Assignee: netfilter-buglog at lists.netfilter.org
Reporter: koetter at luis.uni-hannover.de
Created attachment 486
--> https://bugzilla.netfilter.org/attachment.cgi?id=486&action=edit
iptables -nvL special-unused:filter
I'm with debian Jessie,
Linux <> 3.16.0-4-amd64 #1 SMP Debian 3.16.36-1+deb8u2 (2016-10-19) x86_64
GNU/Linux
iptables v1.4.21
ipset v6.23, protocol version: 6
I use the ipset SET target to create dynamic lists of addresses to block.
The problem: the SET target fails with ~50% of the cases to add an address
properly. A subsequent match on the ipset fails - the address is not added to
the set.
To provide an example, I modified my rules to add & match subsequently - one
would expect the counters to match, but they do not.
It is possible to verify an address is not added to the set using ipset
userspace as well.
The ipset has about 20k entries, adding via ipset cli always works as expected.
The machine I'm working does quite some traffic - so it may be a race condition
and hard to reproduce.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20161209/25862658/attachment.html>
More information about the netfilter-buglog
mailing list