tc tool does not accept ipset match
| Affects | Status | Importance | Assigned to | Milestone | |
|---|---|---|---|---|---|
| iproute2 (Ubuntu) |
Confirmed
|
Undecided
|
Unassigned | ||
Bug Description
Steps to reproduce:
tc qdisc add dev eth0 root handle 1: htb
tc class add dev eth0 parent 1: classid 1:1 htb rate 1024Kbit
ipset create mytest hash:net
tc filter add dev eth0 protocol ip parent 1:0 prio 1 basic match 'ipset(mytest src)' classid 1:1
Last command fails with the message:
Unknown ematch "ipset"
Illegal "ematch"
It works well with 18.04. On 20.04 machine it also works fine inside Ubuntu 18.04 LXD container.
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: iproute2 5.5.0-1ubuntu1
ProcVersionSign
Uname: Linux 5.4.0-51-generic x86_64
NonfreeKernelMo
ApportVersion: 2.20.11-0ubuntu27.9
Architecture: amd64
CasperMD5CheckR
Date: Mon Mar 22 16:18:17 2021
SourcePackage: iproute2
UpgradeStatus: No upgrade log present (probably fresh install)
| Timur Irmatov (irmatov) wrote | #1 |
| Florian Lohoff (fl0l0) wrote | #2 |
| Changed in iproute2 (Ubuntu): | |
| status: | New → Confirmed |
This is caused be mismatch between Kernel and iproute2 version. The kernel v5 offers ipset v7 which causes iproute to not be built with ematch ipset functionality.
This has been fixed in iproute upstream in - its a one line fix - Pulling this into iproute2 and rebuilding (After committing it) works.
https:/
commit 650591a7a70cd79
Author: Tony Ambardar <email address hidden>
Date: Tue Jul 7 00:58:33 2020 -0700
configure: support ipset version 7 with kernel version 5
The configure script checks for ipset v6 availability but doesn't test
for v7, which is backward compatible and used on kernel v5.x systems.
Update the script to test for both ipset versions. Without this change,
the tc ematch function em_ipset will be disabled.
Signed-off-by: Tony Ambardar <email address hidden>
Signed-off-by: Stephen Hemminger <email address hidden>