Iptables -j SET target

[Denna]

Does the current version of Asuswrt-Merlin support the iptables SET target ?

When running the command below ...

iptables -A INPUT -p tcp -m multiport --dports 23,1433 -j SET --add-set test2 src

... the response is ...

iptables: No chain/target/match by that name.

There is an existing IP hash:ip set called test2.

Perhaps the iptables SET extension hasn't been enabled in the kernel ?

 

[redhat27]

You can always load it in your script if they are not loaded:

#!/bin/sh
lsmod | grep -q "xt_set" || for module in ip_set ip_set_hash_ip ip_set_bitmap_ip xt_set; do
  modprobe $module
done

 

[redhat27]

BTW: I've used ipsets in iptables like so: -m set --match-set test2

 

[Martineau]

BTW: I've used ipsets in iptables like so: -m set --match-set test2

No doubt you do, but your usage is for a completely different requirement.

https://www.snbforums.com/threads/h...et-firewall-addition.16798/page-7#post-312136

 

[redhat27]

@Martineau is right, my case is different.
I forgot to mention on post #2 you can also specify a --modprobe=<kmod> directly on the iptables command: From the man page:

 --modprobe=command
              When adding or inserting rules into a chain, use command to load any necessary modules (targets, match extensions, etc).

 

[Denna]

You can always load it in your script if they are not loaded:

#!/bin/sh
lsmod | grep -q "xt_set" || for module in ip_set ip_set_hash_ip ip_set_bitmap_ip xt_set; do
  modprobe $module
done

@redhat27,

The -j SET target works now. Thank you !​

 

[Denna]

@Martineau is right, my case is different.
I forgot to mention on post #2 you can also specify a --modprobe=<kmod> directly on the iptables command: From the man page:

 --modprobe=command
              When adding or inserting rules into a chain, use command to load any necessary modules (targets, match extensions, etc).

@redhat27,

If you had multiple iptables rules using the SET target, loading the script would be more efficient than specifying it multiple times in each rule that used it ?

 

[redhat27]

@redhat27,

If you had multiple iptables rules using the SET target, loading the script would be more efficient than specifying it multiple times in each rule that used it ?

Yes, but inserting the module is a one time operation. Once it is loaded it stays active. You can see loaded modules with lsmod.

You can see available kernel modules under /lib/modules/$(uname -r)/kernel

For example, the modules used by iptables/ip6tables would be under:
/lib/modules/$(uname -r)/kernel/net/ipv4/netfilter
/lib/modules/$(uname -r)/kernel/net/ipv6/netfilter

 

[Denna]

@redhat27,

So the issue with loading a module through a script is that it consumes memory and doesn't release it ?

Does that mean using the option within an iptables rule loads and unloads the module as the rule is evaluated ?​

 

[redhat27]

So the issue with loading a module through a script is that it consumes memory and doesn't release it ?

No, loading it via script does not consume more memory. It justs loads it. It will stay loaded unless removed by rmmod. (see rmmod -? for options) Note: you do not explicitly unload a module if it is being used. lsmod has a "Used by" column that indicates that that a particular module is being used by other modules or by system. If a module has a zero count in that column, it can be removed, although if the functionality provided by that module is later requested, there will be an error (much like the error in your OP)

Does that mean using the option within an iptables rule loads and unloads the module as the rule is evaluated

No. It should be equivalent to loading the module with modprobe much like the script does. I just included some other modules together as I saw you were working with ipsets. You may not need all that in what you need for just that iptables command. you may just need ip_set and/or xt_set for the -j SET

 

[Denna]

@redhat27,

Great, thanks for the clarification.​

 

[Denna]

@Martineau is right, my case is different.
I forgot to mention on post #2 you can also specify a --modprobe=<kmod> directly on the iptables command: From the man page:

 --modprobe=command
              When adding or inserting rules into a chain, use command to load any necessary modules (targets, match extensions, etc).

@redhat27,

Was "--modprobe=command" explicit or was the "=command" a placeholder for a specific command ?

For example ...

iptables -A INPUT -p tcp -m multiport --dports 23,1433 --modprobe=command -j SET --add-set test2 src

 

[redhat27]

No, the modprobe command should be more like --modprobe=xt_set You can google for examples. I haven't used it myself.

 

[Denna]

@redhat27,

Got it. Thanks !​