[Bug 640] New: ipset-4.2 : ipset -T <some_setlist> <address> always negative

bugzilla-daemon at bugzilla.netfilter.org bugzilla-daemon at bugzilla.netfilter.org
Thu Mar 11 22:47:04 CET 2010 

http://bugzilla.netfilter.org/show_bug.cgi?id=640

           Summary: ipset-4.2 : ipset -T <some_setlist> <address> always
                    negative
           Product: ipset
           Version: unspecified
          Platform: All
        OS/Version: All
            Status: NEW
          Severity: normal
          Priority: P1
         Component: default
        AssignedTo: netfilter-buglog at lists.netfilter.org
        ReportedBy: brendlerjg at gmail.com


I have been using ipsets for years, but am attempting to implement a setlist
for the first time, using version 4.2.

I have created a setlist, including three ipsets (all of type nethash).  I am
trying to validate that it works before incorporating into my firewall.

When I use 'ipset -T' to test whether a given address is included in one of the
nethashes, I get a positive response (that it IS in the set).  However, when I
use ipset -T against the setlist itself, I get a negative response (that it is
NOT in the setlist).

While I realize ipset -T may not be the same as running iptables matches
against the setlist, I would expect that it probably is.

Is this my own user error, or is this broken?  For the time being, I cannot
verify that the setlist works, so I am removing it.

######### Details ##################################################

Here is one of the ipsets included in the setlist...

-------------------------------------------------
# ipset -L cn
Name: cn
Type: nethash
References: 1
Header: hashsize: 5184 probes: 4 resize: 50
Members:
175.64.0.0/11
203.88.32.0/19
203.91.32.0/19
202.38.164.0/22
180.94.96.0/20
121.52.224.0/19
....
.... (hundreds of lines)
....
111.160.0.0/13
202.14.235.0/24
113.204.0.0/14
121.32.0.0/13
114.80.0.0/12
203.171.224.0/20
221.208.0.0/12
113.132.0.0/14
113.11.192.0/19
-------------------------------------------------


So let's test an address in that set:
-------------------------------------------------
# ipset -T cn 202.14.235.87
202.14.235.87 is in set cn
-------------------------------


That's as it should be.  Now, below is the setlist (as you can see, it includes
the ipset "cn" above):
-------------------------------------------------
# ipset -L black_setlist
Name: black_setlist
Type: setlist
References: 1
Header: size: 8
Members:
cn
ru
ng
-------------------------------------------------

Let's test the same address against the setlist...
-------------------------------------------------
# ipset -T black_setlist 202.14.235.87
202.14.235.87 is NOT in set black_setlist.

To me, it looks like the setlist is not working properly, because that address
is definitely included in one of the ipsets that comprise the setlist.


#######################
Please let me know if I have not provided enough information, and thank your
for your time.


-- 
Configure bugmail: http://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

More information about the netfilter-buglog mailing list