<html>
<head>
<base href="https://bugzilla.netfilter.org/" />
</head>
<body><table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>Bug ID</th>
<td><a class="bz_bug_link
bz_status_NEW "
title="NEW - adjacent /31 IPs in ipset"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1482">1482</a>
</td>
</tr>
<tr>
<th>Summary</th>
<td>adjacent /31 IPs in ipset
</td>
</tr>
<tr>
<th>Product</th>
<td>nftables
</td>
</tr>
<tr>
<th>Version</th>
<td>unspecified
</td>
</tr>
<tr>
<th>Hardware</th>
<td>x86_64
</td>
</tr>
<tr>
<th>OS</th>
<td>other
</td>
</tr>
<tr>
<th>Status</th>
<td>NEW
</td>
</tr>
<tr>
<th>Severity</th>
<td>normal
</td>
</tr>
<tr>
<th>Priority</th>
<td>P5
</td>
</tr>
<tr>
<th>Component</th>
<td>kernel
</td>
</tr>
<tr>
<th>Assignee</th>
<td>pablo@netfilter.org
</td>
</tr>
<tr>
<th>Reporter</th>
<td>martin@netconfigs.com
</td>
</tr></table>
<p>
<div>
<pre>CentOS Linux release 8.2.2004 (Core)
4.18.0-193.19.1.el8_2.x86_64
configured using firewalld
Apparently, a subtle bug when an ipset contains individual IPv4 addresses where
two are adjacent in a /31:
set larcs4 {
type ipv4_addr
flags interval
elements = { ...,
82.152.159.40, 82.152.159.41,
... }
}
The membership of the ipset are used to allow access to 5071/tcp
chain filter_IN_public_allow {
ip saddr @larcs4 tcp dport 5071 ct state { new, untracked }
accept
}
In this scenario, packets from the earlier IP are accepted,
however, packets from the latter IP are rejected.
15:15:58.658139 IP 82.152.159.41.48327 > 51.195.193.238.5071: Flags [S], seq
3108250724, win 29200, options [mss 1460,sackOK,TS val 1250822659 ecr
0,nop,wscale 7], length 0
15:15:58.658180 IP 51.195.193.238 > 82.152.159.41: ICMP host 51.195.193.238
unreachable - admin prohibited filter, length 68
If I remove the earlier IP:
nft delete element inet firewalld larcs4 { 82.152.159.40 }
then packets from the latter IP are accepted.</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>