List Info

Thread: Re : IPSET iptree problem
Re : IPSET iptree problem
country flaguser name
Poland		 2007-08-27 07:56:43 
Hello, 
 
my kernel is now  
Linux x-rabbit 2.6.23-rc3 1 Mon Aug 27 13:44:18 CEST 2007
i686 pentium4 i386 
GNU/Linux 
 
I preformed two tests, one shortly after boot and another
few minutes later. 
The results are different.  
I hope this will help you.  
 
 
[rootx-rabbit ~] logger Test Start 
[rootx-rabbit ~] ipset -N viruses iptree --timeout 100 
[rootx-rabbit ~] ipset -A viruses 172.16.14.12 
[rootx-rabbit ~] ipset -T viruses 172.16.14.12 
172.16.14.12 is in set viruses. 
[rootx-rabbit ~] ipset -T viruses 172.16.14.111 
172.16.14.111 is in set viruses. 
[rootx-rabbit ~] ipset -n -L viruses 
Name: viruses 
Type: iptree 
References: 0 
Default binding: 
Header: timeout: 100 
Members: 
172.16.14.12%81 
Bindings: 
 
 
Kernel log: 
 
 
Aug 27 14:46:44 x-rabbit root: Test Start 
Aug 27 14:46:59 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG): 
optval83, user08059198, len76 
Aug 27 14:46:59 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG): 
op1 
Aug 27 14:46:59 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_create (DBG): 
setname: viruses, typename: iptree, id: 
65535 
Aug 27 14:46:59 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_create (DBG): try 
to load ip_set_iptree 
Aug 27 14:46:59 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_register_set_type 
(DBG): 'iptree' registered. 
Aug 27 14:46:59 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_create (DBG): 
create: 'viruses' created with index 0, 
id 0! 
Aug 27 14:46:59 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG): 
final result 0 
Aug 27 14:47:10 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
optval83, userbfb076a8, len72 
Aug 27 14:47:10 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
op10 
Aug 27 14:47:10 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
set viruses, copylen 72 
Aug 27 14:47:10 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
final result 0 
Aug 27 14:47:10 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG): 
optval83, user08059060, len16 
Aug 27 14:47:10 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG): 
op101 
 
Aug 27 14:47:10 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: addip (DBG): 
172.16.14.12 0 
Aug 27 14:47:10 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: __addip (DBG): 
172 16 14 12 timeout 100 
Aug 27 14:47:10 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: __addip (DBG): 
alloc 172 
Aug 27 14:47:10 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: __addip (DBG): 
alloc 16 
Aug 27 14:47:10 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: __addip (DBG): 
alloc 14 
Aug 27 14:47:10 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: __addip (DBG): 12 
4294935011 
Aug 27 14:47:10 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG): 
final result 0 
Aug 27 14:47:15 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
optval83, userbfe349d8, len72 
Aug 27 14:47:15 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
op10 
Aug 27 14:47:15 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
set viruses, copylen 72 
Aug 27 14:47:15 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
final result 0 
Aug 27 14:47:15 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG): 
optval83, user08059060, len16 
Aug 27 14:47:15 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG): 
op103 
 
Aug 27 14:47:15 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: __testip (DBG): 
172 16 14 12 timeout 100 
Aug 27 14:47:15 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: __testip (DBG): 
4294935011 4294911225 
Aug 27 14:47:15 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG): 
final result -17 
Aug 27 14:47:18 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
optval83, userbf811bb8, len72 
Aug 27 14:47:18 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
op10 
Aug 27 14:47:18 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
set viruses, copylen 72 
Aug 27 14:47:18 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
final result 0 
Aug 27 14:47:18 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG): 
optval83, user08059060, len16 
Aug 27 14:47:18 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG): 
op103 
Aug 27 14:47:18 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: __testip (DBG): 
172 16 14 111 timeout 100 
Aug 27 14:47:18 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: __testip (DBG): 0 
4294912132 
Aug 27 14:47:18 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG): 
final result -17 
Aug 27 14:47:28 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
optval83, userbfd2a77c, len44 
Aug 27 14:47:28 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
op20 
Aug 27 14:47:28 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
set :all:, copylen 44 
Aug 27 14:47:28 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
final result 0 
Aug 27 14:47:28 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
optval83, user08059138, len80 
Aug 27 14:47:28 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
op201 
Aug 27 14:47:28 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
filled viruses of type iptree, index 
 0 
 
Aug 27 14:47:28 x-rabbit kernel: 
Aug 27 14:47:28 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: list_members_size 
(DBG): members 1 
Aug 27 14:47:28 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
set :all:, copylen 80 
Aug 27 14:47:28 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
final result 0 
Aug 27 14:47:28 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
optval83, user08059138, len32 
Aug 27 14:47:28 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
op203 
Aug 27 14:47:28 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_list_set (DBG): set: 
viruses, used: 0 e083e000 e083e00 
0 
Aug 27 14:47:28 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: list_members_size 
(DBG): members 1 
Aug 27 14:47:28 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
set viruses, copylen 32 
Aug 27 14:47:28 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
final result 0 
Aug 27 14:51:59 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: ip_tree_gc (DBG): 
gc: viruses 
Aug 27 14:51:59 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: ip_tree_gc (DBG): 
gc: 172 16 14 12: expires 4294935011 
 jiffies 15109 
Aug 27 14:51:59 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: ip_tree_gc (DBG): 
gc: viruses: leaf 172 16 14 empty 
Aug 27 14:51:59 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: ip_tree_gc (DBG): 
gc: viruses: branch 172 16 empty 
Aug 27 14:51:59 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: ip_tree_gc (DBG): 
gc: viruses: branch 172 empty 
 
 
 
 
The same test after 5 minutes from system boot: 
 
 
rootx-rabbit ~] logger Next Test 
[rootx-rabbit ~] ipset -A viruses 172.16.14.12 
[rootx-rabbit ~] ipset -T viruses 172.16.14.12 
172.16.14.12 is in set viruses. 
[rootx-rabbit ~] ipset -T viruses 172.16.14.111 
172.16.14.111 is NOT in set viruses. 
[rootx-rabbit ~] ipset -n -L viruses 
Name: viruses 
Type: iptree 
References: 0 
Default binding: 
Header: timeout: 100 
Members: 
172.16.14.12%83 
Bindings: 
 
 
Kernel Logs: 
 
Aug 27 14:55:38 x-rabbit root: Next Test 
Aug 27 14:55:42 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
optval83, userbfc71818, len72 
Aug 27 14:55:42 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
op10 
Aug 27 14:55:42 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
set viruses, copylen 72 
Aug 27 14:55:42 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
final result 0 
Aug 27 14:55:42 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG): 
optval83, user08059060, len16 
Aug 27 14:55:42 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG): 
op101 
Aug 27 14:55:42 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: addip (DBG): 
172.16.14.12 0 
Aug 27 14:55:42 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: __addip (DBG): 
172 16 14 12 timeout 100 
Aug 27 14:55:42 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: __addip (DBG): 
alloc 172 
Aug 27 14:55:42 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: __addip (DBG): 
alloc 16 
Aug 27 14:55:42 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: __addip (DBG): 
alloc 14 
Aug 27 14:55:42 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: __addip (DBG): 12 
95780 
Aug 27 14:55:42 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG): 
final result 0 
Aug 27 14:55:46 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
optval83, userbfb58f08, len72 
Aug 27 14:55:46 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
op10 
Aug 27 14:55:46 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
set viruses, copylen 72 
Aug 27 14:55:46 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
final result 0 
Aug 27 14:55:46 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG): 
optval83, user08059060, len16 
Aug 27 14:55:46 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG): 
op103 
Aug 27 14:55:46 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: __testip (DBG): 
172 16 14 12 timeout 100 
Aug 27 14:55:46 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: __testip (DBG): 
95780 71693 
Aug 27 14:55:46 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG): 
final result -17 
Aug 27 14:55:49 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
optval83, userbf843be8, len72 
Aug 27 14:55:49 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
op10 
Aug 27 14:55:49 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
set viruses, copylen 72 
Aug 27 14:55:49 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
final result 0 
Aug 27 14:55:49 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG): 
optval83, user08059060, len16 
Aug 27 14:55:49 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG): 
op103 
Aug 27 14:55:49 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: __testip (DBG): 
172 16 14 111 timeout 100 
Aug 27 14:55:49 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: __testip (DBG): 0 
72605 
Aug 27 14:55:49 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_set (DBG): 
final result 0 
Aug 27 14:55:59 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
optval83, userbfc88edc, len44 
Aug 27 14:55:59 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
op20 
Aug 27 14:55:59 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
set :all:, copylen 44 
Aug 27 14:55:59 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
final result 0 
Aug 27 14:55:59 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
optval83, user08059138, len80 
Aug 27 14:55:59 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
op201 
Aug 27 14:55:59 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
filled viruses of type iptree, index 
 0 
Aug 27 14:55:59 x-rabbit kernel: 
Aug 27 14:55:59 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: list_members_size 
(DBG): members 1 
Aug 27 14:55:59 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
set :all:, copylen 80 
Aug 27 14:55:59 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
final result 0 
Aug 27 14:55:59 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
optval83, user08059138, len32 
Aug 27 14:55:59 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
op203 
Aug 27 14:55:59 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_list_set (DBG): set: 
viruses, used: 0 e083e000 e083e00 
0 
Aug 27 14:55:59 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: list_members_size 
(DBG): members 1 
Aug 27 14:55:59 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
set viruses, copylen 32 
Aug 27 14:55:59 x-rabbit kernel:
net/ipv4/netfilter/ip_set.c: ip_set_sockfn_get (DBG): 
final result 0 
Aug 27 14:56:59 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: ip_tree_gc (DBG): 
gc: viruses 
Aug 27 14:56:59 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: ip_tree_gc (DBG): 
gc: 172 16 14 12: expires 95780 jiff 
ies 90109 
Aug 27 14:56:59 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: ip_tree_gc (DBG): 
gc: viruses: leaf 172 16 14 not empt 
y 
Aug 27 14:56:59 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: ip_tree_gc (DBG): 
gc: viruses: branch 172 16 not empty 
Aug 27 14:56:59 x-rabbit kernel:
net/ipv4/netfilter/ip_set_iptree.c: ip_tree_gc (DBG): 
gc: viruses: branch 172 not empty 
(END) 
 
 
 
 
 
 
 
>>> After IPTREE_GC_TIME all is ok for some unknown
period of 
>>> time, but finally this malfunction comes again.

>> 
>> Thank you the reports, on the weekend I'll be able
to debug it. 
>> Please stay tuned. 
> 
>Hm, I'm unable to reproduce it. There *was* an
endian-related bug in  
>the iptree type, but even that could not cause such
behaviour. 
> 
>Please give a try to the upcoming release, which you can
get 
>as ht
tp://ipset.netfilter.org/ipset-2.6.23-rc3.patch. 
> 
>If you still see the bug, please do the following: 
> 
>- recompile ipset in the kernel with debugging enabled,
i.e. change 
> 
>if 0 
>define IP_SET_DEBUG 
>endif 
> 
>   to 
> 
>if 1 
>define IP_SET_DEBUG 
>endif 
> 
>   in
<kernel-src>/include/linux/netfilter_ipv4/ip_set.h 
> 
>- then after recompiling issue the following commands
and report the 
>   resulted kernel logs: 
> 
> ipset -N viruses iptree --timeout 100 
> ipset -A viruses 172.16.14.12 
> ipset -T viruses 172.16.14.12 
> ipset -T viruses 172.16.14.111 
> ipset -n -L viruses 
> 
>Best regards, 
>Jozsef 
>-
Re: IPSET iptree problem
user name
 2007-08-27 15:52:50 
On Mon, Aug 27, 2007 at 18:40:36 +0200, Jozsef Kadlecsik
wrote:
> On Mon, 27 Aug 2007, nofastwelnowiec.net wrote:
>
>> I preformed two tests, one shortly after boot and
another few minutes 
>> later.
>> The results are different.
>> I hope this will help you.
>
> It did helped: please give a try to the new version as
> h
ttp://ipset.netfilter.org/ipset-2.6.23-rc3.patch2.

Your mask_to_bits function results into infinite loop if
called
with parameter 1, for example.

If you care only about first set bit, i.e. you do not bother
checking
is netmask valid, you can use:

static inline unsigned int mask_to_bits(ip_set_ip_t mask)
{
  if (mask == 0) return 0;
  return 33 - ffs(mask);
}

-- 
Do what you love because life is too short for anything
else.
[1-2]

about | contact  Other archives ( Real Estate discussion Medical topics )