New syntax for iptables/ipset in AC68U - v380.66_4 ?

[Johan162]

I have had some custom rules in place for the last 2 years (white list sets) that has worked perfectly with my old N66U. However, getting a new AC68U and upgrading to the latest Merlin v380.66_4 I noticed that my scripts no longer work. Most likely due to an updated updated kernel and new version of "iptables/ipset" in my new router.

The previous version said (v380.66_2, N66U):
> ipset -V
ipset v4.5, protocol version 4.
Kernel module protocol version 4.

and the new version (v380.66_4, AC68U)
> ipset -V
ipset v6.29, protocol version: 6

I just can't seem to get the new syntax right.

Previously I had (as example, this is slightly simplified but still exhibits the same error) the WCHAIND is a custom chain rule for logging and dropping src addresses not in the whitelist. The ipset "whitelist" exists prior to this command.

iptables -A FORWARD -i eth0 -m set ! --set whitelist src -j WCHAIND

This gave a warning "--set being deprecated, use --match-set" so I updated to

iptables -A FORWARD -i eth0 -m set ! --match-set whitelist src -j WCHAIND

However, that still gives the error

"iptables: No chain/target/match by that name."

I have tried various permutation but I just can't seem to get the new syntax right. Having re-read the updated iptables/ipset manual pages my understanding is that the above line "should" work, but of course it doesn't

Anyone with a better idea than me?

 

[Adamm]

That error indicates the set "whitelist" doesn't exist, do note it is case sensitive. So either you need to create the IPSet first or you got the name wrong I assume.

 

[Johan162]

Well, that was also my first thought, that I messed up the name.

but I have (tripple) confirmed that it does exist, for example doing

>ipset list -n
whitelist

confirms that the list really do exist and the spelling is the same. So it cannot be that.

However, I noticed a different behaviour in this new version of ipset. If you start having a large set then it seems like ipset either has a bug or divides it in several sets with the same name

So if I populate it withe the full set (around a 1000 cidr ranges) I get the following

>ipset list -n
whitelist
whitelist
whitelist
whitelist
whitelist


Notice that this is not a typo. The ipset lists the name of the set multiple times. This is a different behaviour from the previous verions.

 

[yk101]

What do you see when you run ipset -L whitelist? Do you see all of your entries there?

 

[ColinTaylor]

Did you bother to read the changelog?

380.63 (6-Nov-2016)

- CHANGED: ipset was updated to version 6.29 on ARM models.

IMPORTANT: this means you will probably need to
update your script to the new syntax. You need to
load the xt_set.ko module at the start of your script.
There has been no change to MIPS models, due to their
older kernel. (original code by Shibby and Victek,
Asuswrt port by john9527) (ARM only)​

​

 

[Johan162]

Did you bother to read the changelog?

Yes, but since I had used 380.66_2 before which worked with N66U I didn't go back and re-read the older Changelog. I failed to consider that AC68U have a different CPU and suddenly that Changelog became important ...

So adding a

modprobe xt_set.ko

at the beginning of the script was all that was needed to get everything working.

Thanks for the pointer!

 

[ColinTaylor]