Bug 200897

Summary:	ipset hash:net,port,net rejects CIDR 0 despite man page
Product:	Networking	Reporter:	Eric Westbrook (linux)
Component:	Netfilter/Iptables	Assignee:	networking_netfilter-iptables (networking_netfilter-iptables)
Status:	RESOLVED CODE_FIX
Severity:	normal
Priority:	P1
Hardware:	All
OS:	Linux
Kernel Version:	4.18.3	Subsystem:
Regression:	No	Bisected commit-id:
Attachments:	Allow /0 as advertised

Description Eric Westbrook 2018-08-22 16:47:34 UTC

The `ipset` man page says:

    hash:net,port,net
        The hash:net,port,net set type  behaves  similarly
        to  hash:ip,port,net  but accepts a cidr value for
        both the first and last parameter.  Either  subnet
        is  permitted  to be a /0 should you wish to match
        port between all destinations.

But the following input generates `IPSET_ERR_INVALID_CIDR` anyway.

    # ipset restore
    create cidrzero hash:net,port,net family inet hashsize 1024 maxelem 65536 counters comment
    add cidrzero 0.0.0.0/0,12345,0.0.0.0/0
    ipset v6.34: Error in line 2: The value of the CIDR parameter of the IP address is invalid

Using non-zero addresses doesn't help, nor does only assigning one or the other CIDR to 0 rather than both.

Am I doing it wrong?  How is it supposed to be done?

 - Kernel 4.18.3
 - ipset userland 6.34

Comment 1 Eric Westbrook 2018-08-28 21:18:56 UTC

Created attachment 278185 [details]
Allow /0 as advertised

Fix hash:net,port,net for advertised /0 behavior.  Submitted by email to LKML, netfilter-devel, and netfilter maintainers.

See also https://github.com/ewestbrook/linux/commit/df7ff6efb0934ab6acc11f003ff1a7580d6c1d9c

Comment 2 Eric Westbrook 2018-09-01 18:27:10 UTC

Fixed in https://git.netfilter.org/ipset/commit/?id=bdd09d11cf09fbe93963229fb2d686ad03126daa