Menu
What's new
By:
Filters Better Search

New syntax for iptables/ipset in AC68U - v380.66_4 ?

  • SNBForums Code of Conduct

    SNBForums is a community for everyone, no matter what their level of experience.

    Please be tolerant and patient of others, especially newcomers. We are all here to share and learn!

    The rules are simple: Be patient, be nice, be helpful or be gone!

J

Johan162

Occasional Visitor
I have had some custom rules in place for the last 2 years (white list sets) that has worked perfectly with my old N66U. However, getting a new AC68U and upgrading to the latest Merlin v380.66_4 I noticed that my scripts no longer work. Most likely due to an updated updated kernel and new version of "iptables/ipset" in my new router.

The previous version said (v380.66_2, N66U):
> ipset -V
ipset v4.5, protocol version 4.
Kernel module protocol version 4.

and the new version (v380.66_4, AC68U)
> ipset -V
ipset v6.29, protocol version: 6

I just can't seem to get the new syntax right.

Previously I had (as example, this is slightly simplified but still exhibits the same error) the WCHAIND is a custom chain rule for logging and dropping src addresses not in the whitelist. The ipset "whitelist" exists prior to this command.

iptables -A FORWARD -i eth0 -m set ! --set whitelist src -j WCHAIND

This gave a warning "--set being deprecated, use --match-set" so I updated to

iptables -A FORWARD -i eth0 -m set ! --match-set whitelist src -j WCHAIND

However, that still gives the error

"iptables: No chain/target/match by that name."

I have tried various permutation but I just can't seem to get the new syntax right. Having re-read the updated iptables/ipset manual pages my understanding is that the above line "should" work, but of course it doesn't

Anyone with a better idea than me?
 
That error indicates the set "whitelist" doesn't exist, do note it is case sensitive. So either you need to create the IPSet first or you got the name wrong I assume.
 
Well, that was also my first thought, that I messed up the name.

but I have (tripple) confirmed that it does exist, for example doing

>ipset list -n
whitelist

confirms that the list really do exist and the spelling is the same. So it cannot be that.

However, I noticed a different behaviour in this new version of ipset. If you start having a large set then it seems like ipset either has a bug or divides it in several sets with the same name

So if I populate it withe the full set (around a 1000 cidr ranges) I get the following

>ipset list -n
whitelist
whitelist
whitelist
whitelist
whitelist


Notice that this is not a typo. The ipset lists the name of the set multiple times. This is a different behaviour from the previous verions.
 
What do you see when you run ipset -L whitelist? Do you see all of your entries there?
 
Did you bother to read the changelog?
380.63 (6-Nov-2016)
- CHANGED: ipset was updated to version 6.29 on ARM models.
IMPORTANT: this means you will probably need to
update your script to the new syntax. You need to
load the xt_set.ko module at the start of your script.
There has been no change to MIPS models, due to their
older kernel. (original code by Shibby and Victek,
Asuswrt port by john9527) (ARM only)​
Click to expand...
 
ColinTaylor said:
Did you bother to read the changelog?
Click to expand...

Yes, but since I had used 380.66_2 before which worked with N66U I didn't go back and re-read the older Changelog. I failed to consider that AC68U have a different CPU and suddenly that Changelog became important ...

So adding a

modprobe xt_set.ko

at the beginning of the script was all that was needed to get everything working.

Thanks for the pointer!
 
You must log in or register to reply here.

Similar threads

P
DCSP marking
Replies
19
Views
1K
Coldblackice
Coldblackice
iJorgen
Optimize blocked events from firewall in the system-log
Replies
5
Views
759
iJorgen
iJorgen
W
Restricting access to OpenVPN server via iptables
Replies
2
Views
1K
wrtuser
W
PaulA
Port isolation on RT-AX88U-Pro (router) w/ Merlin w/ Tagged internet ISP
Replies
1
Views
306
PaulA
PaulA
M
AdGuardHome IPTables blocking TLS port 853 from other hosts
Replies
3
Views
283
dave14305
dave14305
Similar threads
Thread starter Title Forum Replies Date
SkierInAvon Asus Merlin - iptables command (not working?) Asuswrt-Merlin 8
v.y.k iptables pkts & bytes numbers are too low on Merlin 3004.388 Asuswrt-Merlin 13
M iptables module rateest - loadbalancing split over Asuswrt-Merlin 0
A Entware iptables no chain/target/match and tcpdump problems Asuswrt-Merlin 3
Z wgclient-start with iptables nat rules after router reboot Asuswrt-Merlin 19
H Does VPN Director Use Routes or IPTables Rules To Route Clients Over a VPN Connection? Asuswrt-Merlin 5
H Does firewall-start Script Ever Run Twice With Same iptables Rules? Asuswrt-Merlin 13
L merlin default iptables. why are there strange logdrops for specific pattens and ips? Asuswrt-Merlin 3
NoBenefit Does my iptables looks normal? Asuswrt-Merlin 1
J Allowing just one device to subnet (iptables or Network Services Filter?) Asuswrt-Merlin 0

Similar threads

Latest threads

Sign Up For SNBForums Daily Digest

Get an update of what's new every day delivered to your mailbox. Sign up here!

Members online

Total: 1,101 (members: 19, guests: 1,082)
Top