IPset: src_ip dest_ip together: fw4: "ignoring invalid ipset entry"

Geri · June 16, 2025, 6:35pm

Some time ago, I asked for help about this, and the answer was to use both.

Now, if I run fw4 reload I get an error: ignoring invalid ipset entry.
I troubleshoot by looking at differences with others, and changing some around; and I concluded that, yes, it really is setting src_ip and dest_ip together.

The same config used to work.

It's the same with src_net and dest_net.

I found out accidentally because I reconnected a device that wouldn't connect, and it started with getting issues I think because the zone name started with a number; which also used to work, but no longer does. I changed the name and assigned an interface to it, and in the process of diagnostics, I saw all of the other errors via fw4 reload.

Via webgui, I changed the aforementioned ipset rule Packet Field Match from just one match, saw that the error went away, and put the dest/src match back, and sure enough, it popped up again. This feels unintended. Please correct me if I'm wrong.

lleachii · June 17, 2025, 1:52am

Can you show an example of what you're referring to?

Geri · June 17, 2025, 11:06pm

Here ya go

brada4 · July 19, 2025, 5:27pm

Please use the "Preformatted text </>" button for logs, scripts, configs and general console output.

Please edit your post accordingly. Thank you!

lleachii · July 20, 2025, 10:59am

Your screenshot clearly shows the errors:

You specified:

a single IP in a network set (try appending '/32')
and the whole Internet (the netfilter manual clearly states this is invalid)

I apologize for the delay (as I never saw you post text and missed the screenshot).

Edit:

I know the other poster mentioned text, but the screenshot I was expecting (and that you mentioned) was from the web GUI.