Bug 26697 - ipset 7.6 update for kernel 5.6
Summary: ipset 7.6 update for kernel 5.6
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: RPM Packages (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact:
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-05-28 17:20 CEST by David Walser
Modified: 2020-07-06 22:59 CEST (History)
3 users (show)

See Also:
Source RPM: ipset-7.1-1.mga7.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2020-05-28 17:20:26 CEST
Advisory:
----------------------------------------

The ipset package has been updated to version 7.6, fixing several bugs and
compatibility with the latest kernels.

References:
http://ipset.netfilter.org/changelog.html
----------------------------------------

Updated packages in core/updates_testing:
----------------------------------------
ipset-7.6-1.mga7
libipset13-7.6-1.mga7
libipset-devel-7.6-1.mga7

from ipset-7.6-1.mga7.src.rpm
Comment 1 Herman Viaene 2020-05-30 15:11:22 CEST
MGA7-64 Plasma on Lenovo B50
No installation issues.
No Wiki or previous updates.
Found https://www.linuxjournal.com/content/advanced-firewall-configurations-ipset , but I don't feel "advanced" on this subject.
The only commands that would do no harm in my hands:
# ipset version
ipset v7.6, protocol version: 7

# ipset list
returns nothing (of course).
Leaving for others.

CC: (none) => herman.viaene

Comment 2 PC LX 2020-06-01 23:38:00 CEST
There is something wrong with the bash autocompletion.

I took a quick look at the file /usr/share/bash-completion/completions/ipset but failed to find what the issue is.


$ ipset bash: syntax error near unexpected token `;;'

add      create   del      destroy  e        flush    help     list     n        rename   restore  save     swap     test     version  w        x        

$ rpm -qa | grep ipset
lib64ipset13-7.6-1.mga7
ipset-7.6-1.mga7

CC: (none) => mageia

Comment 3 Len Lawrence 2020-06-18 16:20:29 CEST
@Herman with respect to comment 1:

Don't know why there was no output from your ipset list.
# ipset list 
Name: ifw_wl
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 200
References: 1
Number of entries: 0
Members:

Name: ifw_bl
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 3600
Size in memory: 200
References: 1
Number of entries: 0
Members:
# ipset list ifw_bl
Name: ifw_bl
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536 timeout 3600
Size in memory: 200
References: 1
Number of entries: 0
Members:

CC: (none) => tarazed25

Comment 4 Herman Viaene 2020-06-20 14:53:09 CEST
@Len
Tried again, still no feedback. And I am doing this on this wifi-connectedd laptop.
Different HW ?? Mine is Intel 3160
Comment 5 Len Lawrence 2020-06-21 02:01:14 CEST
@Herman
Different hardware for sure.  So, maybe a driver problem but that seems unlikely.  One thing; on my network I have to remove firewall protection for each network device on all machines or they cannot see each other.  Shall experiment a bit and get back to you.
Comment 6 Len Lawrence 2020-06-21 16:53:01 CEST
Tried protecting eth0 in the firewall and tried 'ipset list' again.  No problem, so that does not help.  And LAN is still accessible but emacs has stopped working.
Comment 7 PC LX 2020-07-06 22:59:47 CEST
Installed and tested. All OK except one minor issue.

Tested created, add, del, test, destroy, list, save, restore, flush, rename and swap. Tested a few types of set (hash:ip hash:ip,port hash:net hash:net,port).

There is a minor issue with the bash autocompletion not working as described in comment 2. While it should be fixed, it should not block this update, IMO.


$ ipset create droplist hash:ip
$ cat /var/log/httpd/error.log | \ 
  grep AH01630 | \
  egrep -io "client: [^:]+" | \
  egrep -io " .*" | \
  sort -u \
  (while read U ; do ipset add droplist "$U" ; done)
$ ipset list
Name: droplist
Type: hash:ip
Revision: 4
Header: family inet hashsize 1024 maxelem 65536
Size in memory: 1784
References: 2
Number of entries: 33
Members:
<SNIP>

$ # iptable rules where setup manually to test ipset rules.
$ iptables -vS
-P INPUT ACCEPT -c 136415 148328301
-P FORWARD ACCEPT -c 0 0
-P OUTPUT ACCEPT -c 77005 14441585
-A INPUT -m set --match-set droplist src -c 80 3800 -j DROP
-A FORWARD -m set --match-set droplist src -c 0 0 -j DROP
$ iptables -vL
Chain INPUT (policy ACCEPT 136K packets, 148M bytes)
 pkts bytes target     prot opt in     out     source               destination         
   80  3800 DROP       all  --  any    any     anywhere             anywhere             match-set droplist src

Chain FORWARD (policy ACCEPT 0 packets, 0 bytes)
 pkts bytes target     prot opt in     out     source               destination         
    0     0 DROP       all  --  any    any     anywhere             anywhere             match-set droplist src

Chain OUTPUT (policy ACCEPT 77007 packets, 14M bytes)
 pkts bytes target     prot opt in     out     source               destination         



$ uname -a
Linux marte 5.6.14-desktop-2.mga7 #1 SMP Wed May 20 23:14:20 UTC 2020 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | grep ipset
lib64ipset13-7.6-1.mga7
ipset-7.6-1.mga7

Note You need to log in before you can comment on or make changes to this bug.