iphash maxelem not supported in ipset v4.5?

[Alfred]

Hello,

I am a happy owner of an RT-AC66U. Currently running rmerlin v380.62.0.
Fiddling with the example scripts for blocking countries, tor nodes and malware addresses. These malware addresses can be far more than the default maximum of 64k entries in the iphash table :-O So I tried to use the option maxelem (at create time) to increase its size, without success. Now I suspect that version 4.5 of ipset may not support this maxelem option at all.
1) Can somebody confirm this?
2) Is a new ipset version (with maxelem support) on the roadmap for RT-AC66U?
3) Would this require Asus development, or RMerlin magic?

 

[john9527]

Hello,

...Now I suspect that version 4.5 of ipset may not support this maxelem option at all.
1) Can somebody confirm this?

Yes...I looked at the source and it wasn't added until version 6

2) Is a new ipset version (with maxelem support) on the roadmap for RT-AC66U?
3) Would this require Asus development, or RMerlin magic?

Sorry, but won't happen.....ipset 4.5 is the last version supported by the kernel used for the AC66, and a kernel update isn't going to happen.

 

[Alfred]

Yes...I looked at the source and it wasn't added until version 6

Sorry, but won't happen.....ipset 4.5 is the last version supported by the kernel used for the AC66, and a kernel update isn't going to happen.

Ok thx for the quick reply. Does AC68 have ipset 6?

 

[john9527]

Ok thx for the quick reply. Does AC68 have ipset 6?

Not the current ASUS or Merlin builds....they are also 4.5

I just updated to ipset 6 for the AC56/AC68 on my 374.43 fork in the last stable release (V19). Note that some of the commands/modules have changed with the ipset update.

 

[Alfred]

Not the current ASUS or Merlin builds....they are also 4.5

I just updated to ipset 6 for the AC56/AC68 on my 374.43 fork in the last stable release (V19). Note that some of the commands/modules have changed with the ipset update.

Yes I noticed iphash => hash:ip a.o.

 

[Fitz Mutch]

Here's a quick and dirty hack for the RT-AC66U router IPSet v4.5, maybe. You'll need to rebuild the firmware. This hack increases the the 64K limit to 1 million elements for all hash types. I only use the iphash and nethash, and it seems to work just fine on my RT-AC68U router.

asuswrt-merlin-ipset-hack.patch

diff -u -B -N -r ./asuswrt-merlin-380.62-original/release/src-rt-6.x.4708/linux/linux-2.6.36/include/linux/netfilter_ipv4/ip_set.h ./asuswrt-merlin-380.62/release/src-rt-6.x.4708/linux/linux-2.6.36/include/linux/netfilter_ipv4/ip_set.h
--- ./asuswrt-merlin-380.62-original/release/src-rt-6.x.4708/linux/linux-2.6.36/include/linux/netfilter_ipv4/ip_set.h    2016-09-23 18:45:32.000000000 -0600
+++ ./asuswrt-merlin-380.62/release/src-rt-6.x.4708/linux/linux-2.6.36/include/linux/netfilter_ipv4/ip_set.h    2016-09-25 18:36:57.000000000 -0600
@@ -301,7 +301,7 @@
}
/* General limit for the elements in a set */
-#define MAX_RANGE 0x0000FFFF
+#define MAX_RANGE 0x000FFFFF
/* Alignment: 'unsigned long' unsupported */
#define IPSET_ALIGNTO        4
diff -u -B -N -r ./asuswrt-merlin-380.62-original/release/src-rt-7.14.114.x/src/linux/linux-2.6.36/include/linux/netfilter_ipv4/ip_set.h ./asuswrt-merlin-380.62/release/src-rt-7.14.114.x/src/linux/linux-2.6.36/include/linux/netfilter_ipv4/ip_set.h
--- ./asuswrt-merlin-380.62-original/release/src-rt-7.14.114.x/src/linux/linux-2.6.36/include/linux/netfilter_ipv4/ip_set.h    2016-09-23 18:45:32.000000000 -0600
+++ ./asuswrt-merlin-380.62/release/src-rt-7.14.114.x/src/linux/linux-2.6.36/include/linux/netfilter_ipv4/ip_set.h    2016-09-25 18:37:19.000000000 -0600
@@ -301,7 +301,7 @@
}
/* General limit for the elements in a set */
-#define MAX_RANGE 0x0000FFFF
+#define MAX_RANGE 0x000FFFFF
/* Alignment: 'unsigned long' unsupported */
#define IPSET_ALIGNTO        4
diff -u -B -N -r ./asuswrt-merlin-380.62-original/release/src-rt-7.x.main/src/linux/linux-2.6.36/include/linux/netfilter_ipv4/ip_set.h ./asuswrt-merlin-380.62/release/src-rt-7.x.main/src/linux/linux-2.6.36/include/linux/netfilter_ipv4/ip_set.h
--- ./asuswrt-merlin-380.62-original/release/src-rt-7.x.main/src/linux/linux-2.6.36/include/linux/netfilter_ipv4/ip_set.h    2016-09-23 18:45:32.000000000 -0600
+++ ./asuswrt-merlin-380.62/release/src-rt-7.x.main/src/linux/linux-2.6.36/include/linux/netfilter_ipv4/ip_set.h    2016-09-25 18:37:32.000000000 -0600
@@ -301,7 +301,7 @@
}
/* General limit for the elements in a set */
-#define MAX_RANGE 0x0000FFFF
+#define MAX_RANGE 0x000FFFFF
/* Alignment: 'unsigned long' unsupported */
#define IPSET_ALIGNTO        4
diff -u -B -N -r ./asuswrt-merlin-380.62-original/release/src-rt/linux/linux-2.6/include/linux/netfilter_ipv4/ip_set.h ./asuswrt-merlin-380.62/release/src-rt/linux/linux-2.6/include/linux/netfilter_ipv4/ip_set.h
--- ./asuswrt-merlin-380.62-original/release/src-rt/linux/linux-2.6/include/linux/netfilter_ipv4/ip_set.h    2016-09-23 18:45:32.000000000 -0600
+++ ./asuswrt-merlin-380.62/release/src-rt/linux/linux-2.6/include/linux/netfilter_ipv4/ip_set.h    2016-09-25 18:37:41.000000000 -0600
@@ -301,7 +301,7 @@
}
/* General limit for the elements in a set */
-#define MAX_RANGE 0x0000FFFF
+#define MAX_RANGE 0x000FFFFF
/* Alignment: 'unsigned long' unsupported */
#define IPSET_ALIGNTO        4
diff -u -B -N -r ./asuswrt-merlin-380.62-original/release/src/router/ipset/kernel/include/linux/netfilter_ipv4/ip_set.h ./asuswrt-merlin-380.62/release/src/router/ipset/kernel/include/linux/netfilter_ipv4/ip_set.h
--- ./asuswrt-merlin-380.62-original/release/src/router/ipset/kernel/include/linux/netfilter_ipv4/ip_set.h    2016-09-23 18:45:32.000000000 -0600
+++ ./asuswrt-merlin-380.62/release/src/router/ipset/kernel/include/linux/netfilter_ipv4/ip_set.h    2016-09-25 18:38:03.000000000 -0600
@@ -301,7 +301,7 @@
}
/* General limit for the elements in a set */
-#define MAX_RANGE 0x0000FFFF
+#define MAX_RANGE 0x000FFFFF
/* Alignment: 'unsigned long' unsupported */
#define IPSET_ALIGNTO        4

 

[RMerlin]

Not the current ASUS or Merlin builds....they are also 4.5

I just updated to ipset 6 for the AC56/AC68 on my 374.43 fork in the last stable release (V19). Note that some of the commands/modules have changed with the ipset update.

BTW, I will most likely pick that up once you publish it to Git, since I'm gradually deprecating MIPS models (meaning I will no longer hold back ARM development for the sake of the MIPS models).

 

[RMerlin]

Here's a quick and dirty hack for the RT-AC66U router IPSet v4.5, maybe. You'll need to rebuild the firmware. This hack increases the the 64K limit to 1 million elements for all hash types

Careful with that. In some files, MAX_RANGE is also used to define the highest valid port number (65535). There's quite a few occurrences like this:

kernel/include/linux/netfilter_ipv4/ip_set_getport.h:#define INVALID_PORT    (MAX_RANGE + 1)

 

[john9527]

BTW, I will most likely pick that up once you publish it to Git, since I'm gradually deprecating MIPS models (meaning I will no longer hold back ARM development for the sake of the MIPS models).

It's up...there's a series of 9 commits starting with
https://github.com/john9527/asuswrt-merlin/commit/58ac5163ff2eae897e042487398c130aa5b0f2d9

 

[Fitz Mutch]

Careful with that. In some files, MAX_RANGE is also used to define the highest valid port number (65535).

Noticed that usage of INVALID_PORT is as a return code for some error condition. I don't see where it's validating the maximum value for a port number. However, if this were to do something unexpected I would review the portmap element type because now it's going to create a map to hold more than 64K elements. I've only tested the iphash and nethash types.

 

[RMerlin]

It's up...there's a series of 9 commits starting with
https://github.com/john9527/asuswrt-merlin/commit/58ac5163ff2eae897e042487398c130aa5b0f2d9

Thanks, I thought you had only done this after Sept 9th, the date of the last commit on Github, I didn't think to look further back.

 

[Alfred]

Noticed that usage of INVALID_PORT is as a return code for some error condition. I don't see where it's validating the maximum value for a port number. However, if this were to do something unexpected I would review the portmap element type because now it's going to create a map to hold more than 64K elements. I've only tested the iphash and nethash types.

I appreciate your creativity, and nice to know that I am not alone with this problem, but as a novice in this field I don't have the knowledge to rebuild firmware. It would probably also force me to rebuild with each new RMerlin build. So I think I'm going to take another more interested look at the ARM based models... Thank you all for the responses.