[Bug 1719] New: ipset wrongly blocking undefined ranges and not blocking ranges that are defined
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Wed Oct 25 11:20:12 CEST 2023
https://bugzilla.netfilter.org/show_bug.cgi?id=1719
Bug ID: 1719
Summary: ipset wrongly blocking undefined ranges and not
blocking ranges that are defined
Product: ipset
Version: unspecified
Hardware: All
OS: RedHat Linux
Status: NEW
Severity: critical
Priority: P5
Component: default
Assignee: netfilter-buglog at lists.netfilter.org
Reporter: raymi.coevan at gmail.com
Created attachment 727
--> https://bugzilla.netfilter.org/attachment.cgi?id=727&action=edit
ipset blacklist (1881 entries)
As used version is not available in above version list: ipset v6.29, protocol
version: 6. OS is CentOS (RHEL).
$ ipset -L -n
blacklist
$ ipset -L -t
Name: blacklist
Type: hash:net
Revision: 6
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 57600
References: 1
Number of entries: 1881
$ ipset test blacklist 108.174.0.158
108.174.0.158 is in set blacklist.
$ ipset test blacklist 108.174.1.10
108.174.1.10 is in set blacklist.
$ ipset test blacklist 108.174.8.95
108.174.8.95 is in set blacklist.
Above tested IP addresses are not defined in blacklist but however blocked.
$ ipset test blacklist 108.174.8.95
108.174.8.95 is in set blacklist.
Now, on the opposite:
$ ipset test blacklist 203.55.21.150
203.55.21.150 is NOT in set blacklist.
However, it is defined via 203.55.21.0/24 and is NOT blocked which is critical.
Attached is the /etc/sysconfig/ipset blacklist.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20231025/bbf5c9bf/attachment.html>
More information about the netfilter-buglog
mailing list