about ipset --add setmefree 91.108.56.0/22

[chu]

I use:

ipset --add setmeok 91.108.56.0/22

and I can't find it from the ip list via command

ipset -L setmeok


is something wrong?

 

[john9527]

I use:

ipset --add setmeok 91.108.56.0/22

and I can't find it from the ip list via command

ipset -L setmeok


is something wrong?

No, you need to create a separate type of ipset, nethash, to be able to handle CIDR addresses.

 

[chu]

No, you need to create a separate type of ipset, nethash, to be able to handle CIDR addresses.

how to ? could you tell me ..thank you

 

[john9527]

how to ? could you tell me ..thank you

What router and what firmware level? (It makes a difference)

 

[chu]

What router and what firmware level? (It makes a difference)

my router is Asus AC68U with merlin 380.58

 

[john9527]

That firmware still uses ipset version 4, so.....

You need to create an ipset that handles CIDR address (unfortunately you can't mix single addresses and CIDR addresses in a single set, and trying to fake it out with a /32 mask doesn't work either). The set type is nethash. You may need to modprobe ip_set_nethash if you already aren't doing so.

ipset -N newsetname nethash

Then add your CIDR addresses to this new ipset.

Now, in order to keep from having to add a new ipset to your iptables rules, you can join multiple ipsets under a new set name. First create another ipset that is a list of ipsets

ipset -N ipsetlistname setlist

Now add your ipsets to the setlist

ipset --add ipsetlistname newsetname
ipset --add ipsetlistname setmeok (using your old ipset as an example. You could of course make two new ipsets , and make the ipsetlistname = setmeok to avoid having to change your iptables rules).

Note that you still have to add individual ips/CIDRs to the base ipsets, not the setlist.

 

[chu]

That firmware still uses ipset version 4, so.....

You need to create an ipset that handles CIDR address (unfortunately you can't mix single addresses and CIDR addresses in a single set, and trying to fake it out with a /32 mask doesn't work either). The set type is nethash. You may need to modprobe ip_set_nethash if you already aren't doing so.

ipset -N newsetname nethash

Then add your CIDR addresses to this new ipset.

Now, in order to keep from having to add a new ipset to your iptables rules, you can join multiple ipsets under a new set name. First create another ipset that is a list of ipsets

ipset -N ipsetlistname setlist

Now add your ipsets to the setlist

ipset --add ipsetlistname newsetname
ipset --add ipsetlistname setmeok (using your old ipset as an example. You could of course make two new ipsets , and make the ipsetlistname = setmeok to avoid having to change your iptables rules).

Note that you still have to add individual ips/CIDRs to the base ipsets, not the setlist.

how about upgrade my router to 380.63?
I saw it has ipset 6.29, so can I use "ipset --add setmefree 91.108.56.0/22" directly?

 

[john9527]

how about upgrade my router to 380.63?
I saw it has ipset 6.29, so can I use "ipset --add setmefree 91.108.56.0/22" directly?

No, sorry....same restrictions/methodology applies. But the syntax has changed (although I think it's backwards compatible, except for the module names)

module name ip_set_nethash >> ip_set_hash_net (ipset 6 will automatically load this module for you)
instead of loading ipt_set you need to load module xt_set for iptables support
ipset -N >> ipset --create
settype nethash >> hash:net
settype setlist >> list:set

And I think there are some fixes for the list:set support in ipset 6.

 

[chu]

i found a idea on the web, is it ok with merlin?

iptables -t nat -A PREROUTING -p tcp -d 91.108.56.0/22 -j REDIRECT --to-ports 3333

 

[ColinTaylor]

@chu It would help if you actually tell us what you are trying to do.