ipset_update_from_file is strict CIDR only for Nets and addfile is lax and imports both IP and CIDR into Nets IPsets #465
Comments
|
Just realized this effects the updating of all the firehol blacklists since their .netset's are mixed addresses. Initial loading of Firehol loads everything on the lists fine. Update ignores new IP's and only updates new CIDR entries. Whether strict or lax on mixing IP and CIDR, I think addfile and ipset_update_from_file both should be consistent on how they deal with it? Maybe everyone else sorts the Firehol blacklists into separate IP and Net lists? Cheers, |
ampersand-et
changed the title
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Found a bit of anomaly when using Firehol with IPSets when I started using a dynamic whitelist. This may have more to do with IPSet than Firehol but its above my head on how to dissect whats going on.
I use IP4 and IP6 NET ipsets and my file I load in has a mix of NETS and IPs. It works fine loading both CIDR and single IPs on initial loading of Firehol with:
If I were to update the same file again with a new single IP added to the source list:
Update_from_file will ignore any new single IP entries in the file. If I reload Firehol it will add both the CIDR and single IPs.
I understand I probably should use separate lists for single IPs and NETs but I was trying to keep less files and lists for simplicity or more likely laziness.
I switched my whitelist scripts to append a /32 or /128 on my single IPs going into the NET list and ipset_update_from_file is happy with that. I just found it strange how it is fine to load non CIDR into a NET on initialization of firehol but not when updating from file.
FireHOL 3.1.5 (3.1.5+ds-1ubuntu1)
ipset v7.5, protocol version: 7
Ubuntu 20.04.3 LTS
Cheers,
Ryan
The text was updated successfully, but these errors were encountered: