1. This site uses cookies. By continuing to use this site, you are agreeing to our use of cookies. Learn More.

iptables no match by that name (ipset)

Discussion in 'Tomato Firmware' started by moffa, Jul 1, 2014.

  1. moffa

    moffa Serious Server Member

    I'm trying to get iptables to load a set created from ipset.

    When I try to run:

    iptables -I INPUT -m set --set geoblock src -j DROP

    I get:

    iptables: No chain/target/match by that name

    But I've tested the file in ipset by running ipset -L | grep Name and geoblock shows up
    I've also checked lsmod and it looks like ipset is loaded:

    ip_set_nethash 7984 1
    ip_set 14496 2 ip_set_nethash

    I'm going nuts here - any help?
     
  2. koitsu

    koitsu Network Guru Member

    The lsmod output looks correct; the numbers ("1" and "2") indicate that there are other modules or pieces of the kernel actively referring to those kernel modules as well (the field indicates "in use" and by how many things).

    But your iptables/netfilter ip_set syntax looks wrong. It looks like you should be using --match-set not --set according to:

    http://ipset.netfilter.org/iptables-extensions.man.html

    Search for "ipset".

    You could also use iptables -m set -h to see if you get usage syntax at the very bottom of the output for the ip_set module.

    I should note that iptables/netfilter is notorious for emitting "incorrect" (more precisely: "non-user-friendly" or "non-intuitive") errors and driving people crazy. There isn't anything anyone can do about it. To me, the error you see is a result of the fact that --set xxx is being parsed somehow, but then silently ignored/omitted, followed by iptables parsing the next argument src and it saying "there is no rule or chain called that (src)".

    P.S. When talking about netfilter stuff, please disclose the exact firmware filename you're using -- it matters because some TomatoUSB firmwares have these features why others do not.
     
  3. moffa

    moffa Serious Server Member

    I'm using the Tomato Shibby build 120 (AIO on a E4200)

    When I try running: iptables -I INPUT -m set --match-set geoblock src -j DROP or iptables -I INPUT --match-set geoblock src

    I get:

    iptables v1.3.8: Unknown arg `(null)'
    Try `iptables -h' or 'iptables --help' for more information.

    going back to just the -m set and --set geoblock and trying out funny stuff like
    iptables -A INPUT -m set --set 12geoblock src -j DROP
    outputs
    iptables v1.3.8: Set 12geoblock doesn't exist.

    so I'm thinking that the set is working and the problem maybe with the -A?

    I tried the same with modifying DROP and it said:

    iptables v1.3.8: Couldn't load target `D12ROP':File not found
     
    Last edited: Jul 2, 2014
  4. moffa

    moffa Serious Server Member

    Looking at cat /proc/net/ip_tables_matches

    I don't see "set" but the module is loaded according to lsmod

    Do I have to reload something to get this working?

    but then passing -m set1 produces

    iptables v1.3.8: Couldn't load match `set1':File not found
     
    Last edited: Jul 2, 2014
  5. moffa

    moffa Serious Server Member

    Finally figured it out thanks to P2Partisan (rs232) script. I need the ipt_set module as well..sigh..3+ hours later
     
  6. Jerezano

    Jerezano New Member Member

    Hello

    I am also trying to do somethig similar to you BUT can not do it !

    #ipset --create video iphash

    #nslookup googlevideo.com 127.0.0.1

    # ipset --list video
    Name: video
    Type: iphash
    References: 0
    Header: hashsize: 1024 probes: 8 resize: 50
    Members:
    186.2.134.84
    186.2.131.174
    XXXXXXXXXXX "more IPs"


    #iptables -t mangle -I QOSO 13 -m set --set video dst -j CONNMARK --set-return 0xa00005/0xff
    iptables: No chain/target/match by that name

    # iptables -t mangle -I QOSO 13 -m set --match-set video dst -j CONNMARK --set-return 0xa00005/0xff
    iptables v1.3.8: Unknown arg `(null)'
    Try `iptables -h' or 'iptables --help' for more information.


    #lsmod
    Module Size Used by Tainted: P
    tcp_vegas 1664 1
    ebtable_filter 896 0
    ebtables 17856 1 ebtable_filter
    ip6table_mangle 992 0
    ip6table_filter 704 0
    xt_recent 6800 2
    xt_layer7 10896 47
    xt_IMQ 736 1
    imq 2320 0
    ip_set_iphash 5872 1
    ip_set 14496 2 ip_set_iphash <------- module
    xt_DSCP 992 5
    vfat 9216 0
    fat 45936 1 vfat
    ext2 55648 0
    ext3 113568 0
    jbd 48352 1 ext3
    mbcache 4528 2 ext2,ext3
    usb_storage 33120 0
    sd_mod 21408 0
    scsi_wait_scan 384 0
    scsi_mod 75488 3 usb_storage,sd_mod,scsi_wait_scan
    wl_high 983248 0
    ehci_hcd 37088 0
    usbcore 114704 4 usb_storage,wl_high,ehci_hcd
    jffs2 106128 1
    zlib_deflate 19440 1 jffs2
    zlib_inflate 13248 1 jffs2
    nf_nat_ftp 1568 0
    nf_conntrack_ftp 5792 1 nf_nat_ftp
    nf_nat_sip 5920 0
    nf_conntrack_sip 19008 1 nf_nat_sip
    nf_nat_h323 5504 0
    nf_conntrack_h323 37152 1 nf_nat_h323
    nf_nat_rtsp 3600 0
    nf_conntrack_rtsp 4496 1 nf_nat_rtsp
    wl 2652688 0
    dnsmq 2032 2 wl_high,wl
    et 37344 0
    igs 13584 2 wl_high,wl
    emf 17568 3 wl_high,wl,igs

    #cat /proc/net/ip_tables_matches
    recent
    layer7
    account
    u32
    icmp
    tcpmss
    state
    multiport
    multiport
    mark
    mac
    limit
    iprange
    iprange
    connmark
    connlimit
    connbytes
    udplite
    udp
    tcp
     
  7. Jerezano

    Jerezano New Member Member

    Help!!!!!!!!!!!!!!!!
     
  8. Toxic

    Toxic Administrator Staff Member

    Jerezano

    Begging for help is not going to get you any further than just posting your issue. you posted 1 hour after you original post. this is a community forum and you will get help when someone decides to help you, and not when you demand that someone "HELPs" you. If no one replies, then just accept it. stop the constant "help!!!" replies. it wont make anyone answer any quicker.
     
  9. Jerezano

    Jerezano New Member Member

    Toxic first I was not begging .just asking for any advice !thanks any way
     
  10. moffa

    moffa Serious Server Member

    Quickly looking at it I didn't see ipt_set (notice the t)
     
  11. Jerezano

    Jerezano New Member Member

    Thanks I wasnt looking the correct one I got confused with the ip_set module
     

Share This Page