The `ipset` man page says:
The hash:net,port,net set type behaves similarly
to hash:ip,port,net but accepts a cidr value for
both the first and last parameter. Either subnet
is permitted to be a /0 should you wish to match
port between all destinations.
But the following input generates `IPSET_ERR_INVALID_CIDR` anyway.
# ipset restore
create cidrzero hash:net,port,net family inet hashsize 1024 maxelem 65536 counters comment
add cidrzero 0.0.0.0/0,12345,0.0.0.0/0
ipset v6.34: Error in line 2: The value of the CIDR parameter of the IP address is invalid
Using non-zero addresses doesn't help, nor does only assigning one or the other CIDR to 0 rather than both.
Am I doing it wrong? How is it supposed to be done?
- Kernel 4.18.3
- ipset userland 6.34
Created attachment 278185 [details]
Allow /0 as advertised
Fix hash:net,port,net for advertised /0 behavior. Submitted by email to LKML, netfilter-devel, and netfilter maintainers.
See also https://github.com/ewestbrook/linux/commit/df7ff6efb0934ab6acc11f003ff1a7580d6c1d9c
Fixed in https://git.netfilter.org/ipset/commit/?id=bdd09d11cf09fbe93963229fb2d686ad03126daa