Google
  Web www.spinics.net

Re: ipset support in tc

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index] 


2. tc ematch bug
tc filter add dev ifb0 protocol ip parent f:0 prio 10\
basic match (ipset'(set1 src,src,dst)' or ipset'(set2 dst,src,src)' or ipset'(set3 src,dst)') and ipset'(set4 src,src)'\
flowid f:38

produces the following error: syntax error near unexpected token `('


Probably from your shell? Escaping the outer ( ) via \ works for me:
.. match \(ipset'(set1 src,src,dst)' or ipset'(set2 dst,src,src)' or ipset'(set3 \
src,dst)'\) and ipset'(set4 src,src)' flowid ...
Damn! Never thought of that. You are right - it might be my bash shell as everything was executed from the command line. 


3. Numerous tc ematch ipset bugs:


Well, i did warn you :-)

No problem, I was expecting it.


3.1. bitmap:port can't produce any matches

ipset n b_test-port bitmap:port range 22-22 timeout 0
ipset a b_test-port 22

tc filter add dev ifb0 protocol ip parent f:0 prio 14\
basic match ipset'(b_test-port src)'\
flowid f:26

produces no matches. This is also true when port match is present in an "and" | "or" logical expression, like ipset'(b_ssh-host src)' and ipset'(b_ssh-port src)'


True.  The bug is that classifiers run with skb->data pointing to the L2 header,
but netfilter starts with skb->data pointing to L3 header.

Please, consider re-testing with this patchlet:

Will do that straight away and recompile tc.


3.2. hash:ip,port produces no matches:

ipset n h_test-hosts hash:ip,port family inet timeout 0 hashsize 64
ipset a h_test-hosts 10.1.1.7,tcp:22

tc filter add dev ifb0 protocol ip parent f:0 prio 21\
basic match ipset'(h_test-hosts src,src)'\
flowid f:33


Haven't tried this, but anything trying to access
transport headers won't work due to bug above.
Should I assume that by applying your patchlet I could test the above bugs again or should I wait? Please let me know. 


Thanks for testing!

Pleasure, any time!

--
To unsubscribe from this list: send the line "unsubscribe lartc" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html

[Bugtraq]     [Fedora Legacy]     [GCC Help]     [Yosemite News]     [Yosemite Photos]     [IP Tables]     [Netfilter Devel]     [Fedora Users]

Powered by Linux