ipset create MySet hash:mac fails in Firmware:380.64_2

[Juglar]

Hi.

I'm trying to use ipset to control groups of clients of my ASUS RT-AC68U, with FW 380.64_2, but, when I enter "ipset create MySet hash:mac" on the telnet console, it hangs: it doesn't return the prompt and the process remains in the "ps" listing without being killed by "kill -9 <procNum>".

I've read that it's implemented, but, do you know if it works? do I need to add any option to create the set?

Thanks,
Juglar

 

[RMerlin]

hash_mac is currently not implemented.

 

[Odkrys]

I did try same thing a few days ago.

there was no kernel for it.

https://github.com/RMerl/asuswrt-me...x.4708/linux/linux-2.6.36/net/netfilter/ipset

 

[Juglar]

hash_mac is currently not implemented.

I see and I'm sorry, for MAC, although also fakeable (though using a wireless access list of allowed MACs makes it quite risky for fakers to be caught), is, I think, the strongest machine identifier.

I think ipset (with its timeout option) is the simplest and most efficient way to implement fixed time "Internet time extension tickets" (and several other functions). If I have to do it by static MAC-IP asociations, it's quite longer and complicated and, specially, much more vulnerable (for the PCs can configure fixed unrestricted IPs not using dhcp) .

Grouping machines in sets is very useful to very simply give them the same treatment (for example, common access restrictions to the several wless terminals of each of my sons).

So, would there be any chance that hash:mac ipset option be implemented in any near version? or is there any difficulty with that specific ipset feature?

By the way, the "ipset -h" current help reply (incorrectly) indicates it as valid option and it doesn't reject the command syntax, as I think it should.

Or maybe I can get my intended functionality (MAC sets) by the ipset bitmap:ip,mac option, with wide IP ranges ? ( I'm just beginning to know these commands).

Post auto reply to last question: No. Because I can define an IP range when creating the set, but I must specify just 1 plain IP address when adding a member machine to the set (a pity that the IP address cannot be left empty, instead of the MAC address) .

Thanks !

 

[RMerlin]

So, would there be any chance that hash:mac ipset option be implemented in any near version? or is there any difficulty with that specific ipset feature?

The ipset patch didn't include that module. It's possible it's not available under older kernels. It's been a few years since I've implemented this, so I don't recall where I originally grabbed the patch from, or whether I ran into any issue myself at the time.

 

[Juglar]

The ipset patch didn't include that module. ...

Thanks for replying.

If the module were available and working well now and you could include it, I think it would significantly strengthen the access restrictions. I, and probably more people, would very much welcome it.

Juglar