# [SOLVED] Hardened kernel and problem with ipset

## irritum

Hi for All.

I have an odd problem. I can't add my ipset set to iptables.

I have fully functional selinux (currently in permissive mode) hardened server with no loadable modules support in the kernel.

a) basic system info

```

$ uname -a

Linux unknown 3.7.0-hardened #1 SMP Thu Jan XX XX:XX:XX CET XXXX x86_64 Intel(R) Core(TM) i3-3220 CPU @ 3.30GHz GenuineIntel GNU/Linux

```

b) appropriate kernel configs:

```

# CONFIG_MODULES is not set

```

but with enabled ipset:

```

CONFIG_NET_EMATCH_IPSET=y

```

and also:

```

CONFIG_IP_SET=y

CONFIG_IP_SET_MAX=256

CONFIG_IP_SET_BITMAP_IP=y

CONFIG_IP_SET_BITMAP_IPMAC=y

CONFIG_IP_SET_BITMAP_PORT=y

CONFIG_IP_SET_HASH_IP=y

CONFIG_IP_SET_HASH_IPPORT=y

CONFIG_IP_SET_HASH_IPPORTIP=y

CONFIG_IP_SET_HASH_IPPORTNET=y

CONFIG_IP_SET_HASH_NET=y

CONFIG_IP_SET_HASH_NETPORT=y

CONFIG_IP_SET_HASH_NETIFACE=y

CONFIG_IP_SET_LIST_SET=y

```

I have added ipset and iptables rules with no problem, but I can't connect them. So:

0. Tools versions:

```

$ ipset --version

ipset v6.16, protocol version: 6

```

```

$ iptables --version

iptables v1.4.16.3

```

1. My ipset rules:

a) Listing:

```

$ ipset -t list

Name: china_cls

Type: hash:net

Revision: 2

Header: family inet hashsize 2048 maxelem 65536 

Size in memory: 87352

References: 0

Name: korea_cls

Type: hash:net

Revision: 2

Header: family inet hashsize 1024 maxelem 65536 

Size in memory: 35192

References: 0

```

b) And here is part of the set content:

```

$ ipset list china_cls

Name: china_cls

Type: hash:net

Revision: 2

Header: family inet hashsize 2048 maxelem 65536 

Size in memory: 87352

References: 0

Members:

116.69.0.0/16

208.74.175.2/31

124.160.0.0/13

...

```

2. The chain in iptables where I would like to put ipset rules:

```

Chain in_bad_ip_cls (1 references)

 pkts bytes target     prot opt in     out     source               destination         

  373  189K DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match src-type BROADCAST

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match src-type UNSPEC

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match src-type MULTICAST

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match src-type UNREACHABLE

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match src-type BLACKHOLE

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match src-type UNSPEC

  121 13863 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BROADCAST

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type UNSPEC

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type MULTICAST

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type UNREACHABLE

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type BLACKHOLE

    0     0 DROP       all  --  *      *       0.0.0.0/0            0.0.0.0/0            ADDRTYPE match dst-type UNSPEC

    0     0 DROP       all  --  !lo    *       127.0.0.0/8          0.0.0.0/0           

    0     0 DROP       all  --  *      !lo     0.0.0.0/0            127.0.0.0/8         

```

3. I am typing:

```

iptables -v -I in_bad_ip_cls -m conntrack --ctstate NEW -m set --match-set china_cls src -j DROP

```

which gives me:

```

DROP  all opt -- in * out *  0.0.0.0/0  -> 0.0.0.0/0   ctstate NEW match-set china_cls src

iptables: No chain/target/match by that name.

```

4. dmesg is silent

So any clue? I mention that the above rules are working perfectly on another server (ubuntu) with the same ipset/iptables settings.

I have tried even:

```

iptables -v -I in_bad_ip_cls -m conntrack --ctstate NEW -j LOG --log-prefix "IPLOG: "

```

to check if i misspelled chain or sth but it has added to iptables with no problem.

The earlier ipset syntax looks correct also. I don't known what is wrong with it...

----------

## irritum

Come on, I will provide additional info if it will be required. Below the strace of the command:

```

$ strace iptables -I in_bad_ip_cls -m conntrack --ctstate NEW -m set --match-set china_cls src -j DROP

execve("/sbin/iptables", ["iptables", "-I", "in_bad_ip_cls", "-m", "conntrack", "--ctstate", "NEW", "-m", "set", "--match-set", "china_cls", "src", "-j", "DROP"], [/* 40 vars */]) = 0

brk(0)                                  = 0x478d915340

mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2d41a066000

access("/etc/ld.so.preload", R_OK)      = -1 ENOENT (No such file or directory)

open("/etc/ld.so.cache", O_RDONLY|O_CLOEXEC) = 3

fstat(3, {st_mode=S_IFREG|0644, st_size=50384, ...}) = 0

mmap(NULL, 50384, PROT_READ, MAP_PRIVATE, 3, 0) = 0x2d41a059000

close(3)                                = 0

open("/lib64/libip4tc.so.0", O_RDONLY|O_CLOEXEC) = 3

read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220\33\0\0\0\0\0\0"..., 832) = 832

fstat(3, {st_mode=S_IFREG|0755, st_size=31024, ...}) = 0

mmap(NULL, 2126416, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2d419c3f000

mprotect(0x2d419c46000, 2093056, PROT_NONE) = 0

mmap(0x2d419e45000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x2d419e45000

close(3)                                = 0

open("/lib64/libip6tc.so.0", O_RDONLY|O_CLOEXEC) = 3

read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0p\35\0\0\0\0\0\0"..., 832) = 832

fstat(3, {st_mode=S_IFREG|0755, st_size=31024, ...}) = 0

mmap(NULL, 2126416, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2d419a37000

mprotect(0x2d419a3e000, 2093056, PROT_NONE) = 0

mmap(0x2d419c3d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x2d419c3d000

close(3)                                = 0

open("/lib64/libxtables.so.9", O_RDONLY|O_CLOEXEC) = 3

read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\3609\0\0\0\0\0\0"..., 832) = 832

fstat(3, {st_mode=S_IFREG|0755, st_size=55056, ...}) = 0

mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2d419a36000

mmap(NULL, 2152256, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2d419828000

mprotect(0x2d419834000, 2097152, PROT_NONE) = 0

mmap(0x2d419a34000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0xc000) = 0x2d419a34000

close(3)                                = 0

open("/lib64/libc.so.6", O_RDONLY|O_CLOEXEC) = 3

read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\360F\2\0\0\0\0\0"..., 832) = 832

fstat(3, {st_mode=S_IFREG|0755, st_size=1724464, ...}) = 0

mmap(NULL, 3837760, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2d41947f000

mprotect(0x2d41961e000, 2097152, PROT_NONE) = 0

mmap(0x2d41981e000, 24576, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x19f000) = 0x2d41981e000

mmap(0x2d419824000, 16192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0x2d419824000

close(3)                                = 0

open("/lib64/libdl.so.2", O_RDONLY|O_CLOEXEC) = 3

read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\220\17\0\0\0\0\0\0"..., 832) = 832

fstat(3, {st_mode=S_IFREG|0755, st_size=14392, ...}) = 0

mmap(NULL, 2109592, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2d41927b000

mprotect(0x2d41927d000, 2097152, PROT_NONE) = 0

mmap(0x2d41947d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x2d41947d000

close(3)                                = 0

mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2d41a058000

mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2d41a057000

mmap(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0x2d41a056000

arch_prctl(ARCH_SET_FS, 0x2d41a057700)  = 0

mprotect(0x2d41981e000, 16384, PROT_READ) = 0

mprotect(0x2d41947d000, 4096, PROT_READ) = 0

mprotect(0x2d419a34000, 4096, PROT_READ) = 0

mprotect(0x2d419c3d000, 4096, PROT_READ) = 0

mprotect(0x2d419e45000, 4096, PROT_READ) = 0

mprotect(0x478b634000, 4096, PROT_READ) = 0

mprotect(0x2d41a068000, 4096, PROT_READ) = 0

munmap(0x2d41a059000, 50384)            = 0

stat("/usr/lib64/xtables/libxt_conntrack.so", {st_mode=S_IFREG|0755, st_size=32512, ...}) = 0

brk(0)                                  = 0x478d915340

brk(0x478d936340)                       = 0x478d936340

brk(0x478d937000)                       = 0x478d937000

open("/usr/lib64/xtables/libxt_conntrack.so", O_RDONLY|O_CLOEXEC) = 3

read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0@\27\0\0\0\0\0\0"..., 832) = 832

fstat(3, {st_mode=S_IFREG|0755, st_size=32512, ...}) = 0

mmap(NULL, 2127808, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2d419073000

mprotect(0x2d419079000, 2097152, PROT_NONE) = 0

mmap(0x2d419279000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x6000) = 0x2d419279000

close(3)                                = 0

mprotect(0x2d419279000, 4096, PROT_READ) = 0

socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 3

fcntl(3, F_SETFD, FD_CLOEXEC)           = 0

lstat("/proc/net/ip_tables_names", {st_mode=S_IFREG|0440, st_size=0, ...}) = 0

statfs("/proc/net/ip_tables_names", {f_type="PROC_SUPER_MAGIC", f_bsize=4096, f_blocks=0, f_bfree=0, f_bavail=0, f_files=0, f_ffree=0, f_fsid={0, 0}, f_namelen=255, f_frsize=4096}) = 0

getsockopt(3, SOL_IP, 0x42 /* IP_??? */, "conntrack\0'\31\324\2\0\0\0\0\0\0\0\0\0\0\0\0\0\0\1\3", [30]) = 0

close(3)                                = 0

socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 3

fcntl(3, F_SETFD, FD_CLOEXEC)           = 0

getsockopt(3, SOL_IP, 0x42 /* IP_??? */, "conntrack\0\243\31\324\2\0\0\0\0\0\0\0\0\0\0`\340G\31\1\3", [30]) = 0

close(3)                                = 0

socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 3

fcntl(3, F_SETFD, FD_CLOEXEC)           = 0

getsockopt(3, SOL_IP, 0x42 /* IP_??? */, "conntrack\0\243\31\324\2\0\0\0\0\0\0\0\0\0\0\340\232\222\227\1\3", [30]) = 0

close(3)                                = 0

stat("/usr/lib64/xtables/libxt_set.so", {st_mode=S_IFREG|0755, st_size=14720, ...}) = 0

open("/usr/lib64/xtables/libxt_set.so", O_RDONLY|O_CLOEXEC) = 3

read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\240\16\0\0\0\0\0\0"..., 832) = 832

fstat(3, {st_mode=S_IFREG|0755, st_size=14720, ...}) = 0

mmap(NULL, 2110016, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2d418e6f000

mprotect(0x2d418e72000, 2093056, PROT_NONE) = 0

mmap(0x2d419071000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x2000) = 0x2d419071000

close(3)                                = 0

mprotect(0x2d419071000, 4096, PROT_READ) = 0

socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 3

fcntl(3, F_SETFD, FD_CLOEXEC)           = 0

getsockopt(3, SOL_IP, 0x42 /* IP_??? */, 0x3ca97929a50, 0x3ca97929a4c) = -1 ENOENT (No such file or directory)

close(3)                                = 0

socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 3

fcntl(3, F_SETFD, FD_CLOEXEC)           = 0

getsockopt(3, SOL_IP, 0x42 /* IP_??? */, 0x3ca97929a50, 0x3ca97929a4c) = -1 ENOENT (No such file or directory)

close(3)                                = 0

socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 3

fcntl(3, F_SETFD, FD_CLOEXEC)           = 0

getsockopt(3, SOL_IP, 0x42 /* IP_??? */, 0x3ca97929ac0, 0x3ca97929abc) = -1 ENOENT (No such file or directory)

close(3)                                = 0

socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 3

fcntl(3, F_SETFD, FD_CLOEXEC)           = 0

getsockopt(3, SOL_IP, 0x42 /* IP_??? */, 0x3ca97929ac0, 0x3ca97929abc) = -1 ENOENT (No such file or directory)

close(3)                                = 0

socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 3

fcntl(3, F_SETFD, FD_CLOEXEC)           = 0

getsockopt(3, SOL_IP, 0x53 /* IP_??? */, "\0\1\0\0\6\0\0\0", [8]) = 0

getsockopt(3, SOL_IP, 0x53 /* IP_??? */, "\6\0\0\0\6\0\0\0\0\0ina_cls\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [40]) = 0

close(3)                                = 0

stat("/usr/lib64/xtables/libxt_standard.so", {st_mode=S_IFREG|0755, st_size=6104, ...}) = 0

open("/usr/lib64/xtables/libxt_standard.so", O_RDONLY|O_CLOEXEC) = 3

read(3, "\177ELF\2\1\1\0\0\0\0\0\0\0\0\0\3\0>\0\1\0\0\0\200\6\0\0\0\0\0\0"..., 832) = 832

fstat(3, {st_mode=S_IFREG|0755, st_size=6104, ...}) = 0

mmap(NULL, 2101480, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0x2d418c6d000

mprotect(0x2d418c6e000, 2093056, PROT_NONE) = 0

mmap(0x2d418e6d000, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0) = 0x2d418e6d000

close(3)                                = 0

mprotect(0x2d418e6d000, 4096, PROT_READ) = 0

socket(PF_INET, SOCK_RAW, IPPROTO_RAW)  = 3

fcntl(3, F_SETFD, FD_CLOEXEC)           = 0

getsockopt(3, SOL_IP, 0x40 /* IP_??? */, "filter\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [84]) = 0

getsockopt(3, SOL_IP, 0x41 /* IP_??? */, "filter\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., [22696]) = 0

setsockopt(3, SOL_IP, 0x40 /* IP_??? */, "filter\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0\0"..., 23144) = -1 ENOENT (No such file or directory)

close(3)                                = 0

write(2, "iptables: No chain/target/match "..., 46iptables: No chain/target/match by that name.

) = 46

exit_group(1)                           = ?

+++ exited with 1 +++

```

Another info:

```

$ equery uses ipset

[ Legend : U - final flag setting for installation]

[        : I - package is installed with flag     ]

[ Colors : set, unset                             ]

 * Found these USE flags for net-firewall/ipset-6.16:

 U I

 - - modules : Build the kernel modules

```

and

```

$ equery uses iptables

[ Legend : U - final flag setting for installation]

[        : I - package is installed with flag     ]

[ Colors : set, unset                             ]

 * Found these USE flags for net-firewall/iptables-1.4.16.3:

 U I

 + + ipv6        : Adds support for IP version 6

 - - netlink     : Build against libnfnetlink which enables the nfnl_osf util

 - - static-libs : Build static libraries

```

Please, I appreciate any tips, hints or ideas  :Smile: 

----------

## Bones McCracker

Iptables is telling you that you need to enable the 'set' match and 'set' target (in the kernel config).

----------

## irritum

I am frustrated, I was sure on 1000% that I have marked this option in kernel so I wasn't looking on it at all.

Really, I have all options enabled in this kernel section but NOT this one.

I don't know how this could happened.

Thank You very much for pointed me to it.

I owe You a beer  :Smile: . If you're ever in Poland, near to Wroclaw just let me know.

----------

## Bones McCracker

Glad I could help.

----------

