config ipset
option name 'drop_addr'
option match 'src_net'
option storage 'hash'
option enabled '1'
list entry '104.31.67.136'
config rule
option dest '*'
option ipset 'drop_addr'
option target 'DROP'
option name 'DROP-104.31.67.136'
option enabled '1'
But it doesn't block access to the address after having the firewall reloaded. ipset is installed on my device. What could be wrong and what is option match 'src_net'?
config ipset
option name 'drop_addr'
option match 'dst_net'
option storage 'hash'
option enabled '1'
list entry '104.31.67.136'
config rule
option src 'lan'
option ipset 'drop_addr'
option target 'DROP'
option name 'DROP-WAN-LAN'
But didn't work out either. I can still access that IP. Does it matter where I should put config ipset set?
I put config rule in the very end. Maybe something's wrong with the order?
Thanks.
I'm using the router as a wifi repeater and I put dest '*' and src '*', but the IP address can still be accessed.
This rule without ipset works fine.
Seems like your ipset (drop_addr) was not created.
Did you restart the firewall after modifying the config?
Can you invoke /etc/init.d/firewall restart in an ssh terminal.
And also post the output of that, please.
How did you create the ipset through luci?
Can you do a /etc/init.d/firewall restart and post the output please.
Maybe the support for "list entry" was added later but I'm not sure.
Does ipset add drop_addr 104.31.67.136 work?
If yes you can try to put in the custom rules tab in luci firewall.
But that doesn't explain why the entry isn't added directly.
So the output of firewall restart could maybe help.
I didn't do that. After copying the file to /etc I clicked reset to make luci pick up the settings from the file and clicked save&apply to apply them. But the content of the file was not changed anyway.
Yes, finally. It worked out. I couldn't access the address anymore.
Here's the output for /etc/init.d/firewall restart:
Warning: Option @ipset[0].entry is unknown
* Flushing IPv4 filter table
* Flushing IPv4 nat table
* Flushing IPv4 mangle table
* Flushing IPv4 raw table
* Flushing IPv6 filter table
* Flushing IPv6 mangle table
* Flushing IPv6 raw table
* Deleting ipset drop_addr
* Flushing conntrack table ...
* Creating ipset drop_addr
* Populating IPv4 filter table
* Zone 'lan'
* Zone 'wan'
* Zone 'VPN_client'
* Rule 'Allow-DHCP-Renew'
* Rule 'Allow-Ping'
* Rule 'Allow-IGMP'
* Rule #7
* Rule #8
* Rule 'DROP-WAN-LAN'
* Forward 'lan' -> 'wan'
* Forward 'lan' -> 'VPN_client'
* Populating IPv4 nat table
* Zone 'lan'
* Zone 'wan'
* Zone 'VPN_client'
* Populating IPv4 mangle table
* Zone 'lan'
* Zone 'wan'
* Zone 'VPN_client'
* Populating IPv4 raw table
* Zone 'lan'
* Zone 'wan'
* Zone 'VPN_client'
* Populating IPv6 filter table
* Zone 'lan'
* Zone 'wan'
* Zone 'VPN_client'
* Rule 'Allow-DHCPv6'
* Rule 'Allow-MLD'
* Rule 'Allow-ICMPv6-Input'
* Rule 'Allow-ICMPv6-Forward'
* Rule #7
* Rule #8
* Forward 'lan' -> 'wan'
* Forward 'lan' -> 'VPN_client'
* Populating IPv6 mangle table
* Zone 'lan'
* Zone 'wan'
* Zone 'VPN_client'
* Populating IPv6 raw table
* Zone 'lan'
* Zone 'wan'
* Zone 'VPN_client'
* Set tcp_ecn to off
* Set tcp_syncookies to on
* Set tcp_window_scaling to on
* Running script '/etc/firewall.user'
uci: Entry not found
* Running script '/usr/share/miniupnpd/firewall.include'
* Running script '/var/etc/shadowsocks.include'
! Skipping due to path error: No such file or directory
Seems like 'list entry' is indeed not supported by your installation.
Hmm. But I can't tell when support for this was added.
You can add ipset add drop_addr 104.31.67.136
to /etc/firewall.user
There is also the option loadfile.
But I also don't know when support for this was added.
Maybe it is worth a try.
I think you have to save your ipset (after adding the entries) with ipset save drop_addr > /etc/ipsets/drop_addr.set
Then use option loadfile '/etc/ipsets/drop_addr.set' in your uci firewall ipset section.
Adjust path as you see fit.
I have around 5000 addresses. So I guess my way is faster. And both would take 1 line of code in the end anyway. Just to read from file and load the whole list into RAM. But I think your way is better if I want to put new IPs on the list, so thank you.
The only question I have now is what should be the value of the hash size when creating a set and why?
For hashsize.
I'm not entirely sure.
But I think this option defines how much ram for the set is preallocated on creation. (max size of the set)
If you choose a too small value the hashsize automatically grows.(But i guess that is "slow"?)
After you filled the set you can see the hashsize with ipset list and use that value.