Configure ipset hash:mac in fw3

Hello,

I want to configure ipset hash:mac in fw3,I had some problems in the process,fw3 does not seem to support such a configuration,I can only configure as follows.

config ipset
    option name IPSET_TEST
    option match 'src_ip src_mac'
    option storage bitmap
    option iprange '192.168.8.0/24'
    option enabled 1
    list entry '192.168.8.153,08:57:00:e5:88:6b'

However, I don't want to bind IP, I want it to look like this:

config ipset
    option name IPSET_TEST
    option match 'src_mac'
    option storage hash
    option enabled 1
    list entry '08:57:00:e5:88:6b'

This seems to work for me:

config ipset
        option name 'bogons'
        option storage 'hash'
        option match 'src_net'
        list entry '0.0.0.0/8'
        list entry '10.0.0.0/8'
        list entry '100.64.0.0/10'
        list entry '127.0.0.0/8'
        list entry '169.254.0.0/16'
        list entry '172.16.0.0/12'
        list entry '192.0.0.0/24'
        list entry '192.0.2.0/24'
        list entry '192.168.0.0/16'
        list entry '198.18.0.0/15'
        list entry '198.51.100.0/24'
        list entry '203.0.113.0/24'
        list entry '224.0.0.0/4'
        list entry '240.0.0.0/4'

config rule
        option name 'bogons'
        option src 'wan'
        option family 'ipv4'
        option proto 'all'
        option ipset 'bogons'
        option target 'DROP'
3 Likes

My wrong

Summary

You cannot work with mac addresses in iptables, try ebtables instead.

1 Like

http://ipset.netfilter.org/iptables-extensions.man.html#lbBJ

1 Like

(removed old post because it had IPs unrelated to Public bogons)

WOW!!!

@eduperez, honestly, I didn't know the correct syntax to do so. I thoroughly misread the ipset Wiki!

Thanks!

Thank you, too... you inspired me to investigate and create those rules in one of your previous posts!

1 Like

Thanks,

I've looked at the links, but they still don't solve my problem. In FW3's ipset, I can't implement a hash: mac combination

Thanks for your reply,The ipset and iptables commands can completely solve my problem, but I want to write them in the /etc/config/firewall, I can make sure my rules are loaded correctly after fw3 restart

In FW3's ipset, I can only implement the following combinations:

Family Storage Match Notes
ipv4 bitmap ip Requires iprange option
ipv4 bitmap ip mac Requires iprange option
ipv4 bitmap port Requires portrange option
any hash ip -
any hash net -
any hash ip port -
any hash net port -
any hash ip port ip -
any hash ip port net -
- list set Meta type to create a set-of-sets

But I want to implement the hash:mac

Family Storage Match Notes
any hash mac -

Why not simply using a hotplug script in /etc/hotplug.d/firewall? I'm using it that way in banIP and therefore I'm not limited to fw3 supported iptables syntax.

1 Like

Thanks ,this can cause confusion or even loss of order when multiple events are running concurrently.
I tried adding a lock, but it didn't work well

Interesting, do you have a good example to reproduce your issue?

I have a firewall-test.sh,It doesn't mean anything, but it's a good way to reproduce the problem

#!/bin/sh

make_firewall()
{
	iptables -N ROUTE_POLICY                                                                                            
        iptables -I FORWARD -j ROUTE_POLICY
	iptables -A ROUTE_POLICY  -i br-lan -m mark --mark 0x40000/0x40000 -j DROP
	iptables -A ROUTE_POLICY  -i br-lan -m mark --mark 0x80000/0x80000  -j ACCEPT
}

delete_firewall()
{
	iptables -D FORWARD -j ROUTE_POLICY
	iptables -F ROUTE_POLICY
	iptables -X ROUTE_POLICY
}

delete_firewall
make_firewall

You call it with the firewall

echo "firewall-test.sh &" >>/etc/firewall.user

I also tried to use hash:mac but found fw3 doesn’t support it even though it is supported by the underlying netfilter ipset. This is as of openwrt 21.02.0 so has been around for a while