[Bug 1482] New: adjacent /31 IPs in ipset
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Sun Nov 15 16:27:19 CET 2020
https://bugzilla.netfilter.org/show_bug.cgi?id=1482
Bug ID: 1482
Summary: adjacent /31 IPs in ipset
Product: nftables
Version: unspecified
Hardware: x86_64
OS: other
Status: NEW
Severity: normal
Priority: P5
Component: kernel
Assignee: pablo at netfilter.org
Reporter: martin at netconfigs.com
CentOS Linux release 8.2.2004 (Core)
4.18.0-193.19.1.el8_2.x86_64
configured using firewalld
Apparently, a subtle bug when an ipset contains individual IPv4 addresses where
two are adjacent in a /31:
set larcs4 {
type ipv4_addr
flags interval
elements = { ...,
82.152.159.40, 82.152.159.41,
... }
}
The membership of the ipset are used to allow access to 5071/tcp
chain filter_IN_public_allow {
ip saddr @larcs4 tcp dport 5071 ct state { new, untracked }
accept
}
In this scenario, packets from the earlier IP are accepted,
however, packets from the latter IP are rejected.
15:15:58.658139 IP 82.152.159.41.48327 > 51.195.193.238.5071: Flags [S], seq
3108250724, win 29200, options [mss 1460,sackOK,TS val 1250822659 ecr
0,nop,wscale 7], length 0
15:15:58.658180 IP 51.195.193.238 > 82.152.159.41: ICMP host 51.195.193.238
unreachable - admin prohibited filter, length 68
If I remove the earlier IP:
nft delete element inet firewalld larcs4 { 82.152.159.40 }
then packets from the latter IP are accepted.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20201115/2ae7907d/attachment.html>
More information about the netfilter-buglog
mailing list