Why ipset Succeeds with IPv4 Ranges but Fails with IPv6 Range

ipsetiptablesipv6

Using ipset to clean up bulky iptable rulesets does not seem so different between IPv4 and IPv6:

# ipset create TEST hash:net family inet
# ipset create DEMO hash:net family inet6
# iptables -A INPUT -m set --match-set TEST src -j DROP
# ip6tables -A INPUT -m set --match-set DEMO src -j DROP

However, upon adding ip ranges, unexpected errors occur only for IPv6 ranges:

# ipset add TEST 192.0.2.0-192.0.2.127
# ipset add DEMO 2001:db8::-2001:db8::ffff
ipset v6.34: Syntax error: IP address or IP/cidr must be specified: 2001:db8::-2001:db8::ffff

This is unexpected, as ipset appears to be able to parse these IPv6 addresses:

# ipset add DEMO 2001:db8::/112
# ipset del DEMO 2001:db8::/112
# ipset add DEMO 2001:db8::ffff/112
# ipset -L DEMO | tail -2
Members:
2001:db8::/112

Why would ipset accept fromaddr-toaddr ranges for IPv4 but consider the same thing a syntax error for IPv6?

Best Answer

The fromaddr-toaddr syntax is only supported for IPv4. Use cidr notation to add IPv6 ranges.

For the inet family one can add or delete multiple entries by specifying a range or a network of IPv4 addresses in the IP address part of the entry - man 8 ipset

Why is it recommended to use `/127` for point to point links?

For the specific case of point-to-point links, /127 is recommended instead of /64 in order to avoid a vulnerability where packets addressed to any one of the quadrillions of unused addresses on the subnet cause unwanted neighbour solicitation requests and table entries that could drown a router. Such misaddressed packets may be malicious or accidental. But even if you actually configure a point-to-point link as /127, some people advocate assigning a whole /64 anyway just to be consistent.

Why would virtual machines be provisioned with subnets narrower than `/64`?

I don't know specifically why virtual machines would be provisioned with subnets narrower than /64. Perhaps because a hosting provider assumed that a server was like an end-user and required only a single /64 subnet, not anticipating that the server would actually be a collection of VMs requiring an internal routing topology? It could be done also simply as a matter of making the addressing plan easier to memorize: the host gets PREFIX::/64, then each VM gets PREFIX:0:NNNN::/96 where NNNN is unique to the VM and the VM can allocate PREFIX:0:NNNN:XXXX:YYYY as it pleases.

Can I map directly from IPv4 subnets to IPv6 subnets? For instance, does an IPv4 `/24` correspond directly to an IPv6 `/56` or `/120`?

From a low-level perspective of how addressing and routing works, the prefix length has the same meaning in IPv6 and IPv4. On that level, you can make an analogy such as "an IPv4 /16 uses half the bits for the network address and half the bits for the host address, that's like a /64 in IPv6". But this comparison is not really apt. Strong conventions have emerged in IPv6 which make the divisions of network sizes look somewhat more like the old world of classful networks in IPv4. To be sure, IPv6 didn't reintroduce classful addressing in which the most significant few bits of the address force a particular netmask, but what IPv6 does have is certain [de facto/conventional] standard network sizes:

/64: the basic size of a single subnet: LAN, WAN, block of addresses for web virtual hosts, etc... "Normal" subnets are never expected to be any narrower (longer prefix) than /64. No subnets are ever expected to be wider (shorter prefix) than /64 since a /64's worth of host addresses is much more than we can imagine needing.
/56: a block of 256 basic subnets. Even though current policies permit ISPs to hand out blocks as large as /48 to every end user and still consider their address utilisation well justified, some ISPs may (and already do) choose to allocate a /56 to consumer-grade customers as a compromise between allocation lots of subnets for them and address economy.
/48: a block of 65536 basic subnets and the recommended size of block that every ISP customer end site should receive.
/32: the default size of block that most ISPs will receive each time they request more addresses from a regional address registry.

Inside service provider and enterprise networks, many more prefix lengths than these 4 can be seen. When looking at the routing tables of routers inside these networks, IPv4 and IPv6 have much in common including most of the way routing works: routes for longer prefixes override covering routes for shorter prefixes, so it is possible to aggregate (make shorter) and drill down (make longer) routes. Like in IPv4, routes can be aggregated or summarized to larger blocks with shorter prefixes in order to minimize the size of routing tables.

A different question of mapping between IPv4 and IPv6 would be how to harmonize IPv4 and IPv6 assignments on dual-stack machines so that addressing plans can be readily understood. Far that, there are certainly conventions in common use to do this: embed the IPv4 "subnet number" into a portion of the IPv6 prefix, either with BCD (e.g. 10.0.234.0/24 becomes 2001:db8:abcd:234::/64) or binary (10.0.234.0/24 becomes 2001:db8:abcd:ea::/64).

My interfaces have several IPv6 addresses. Must the subnet be the same for all of them?

Absolutely not! IPv6 hosts are expected to be able to be multihomed by having several IP addresses simultaneously that come from different subnets, just like IPv4. If they are autoconfigured with SLAAC then the different subnets might have come from router advertisements from different routers.

Why do I sometimes see a % rather than a / in an IPv6 address and what does it mean?

You would not see one instead of the other. They have different meanings. A slash denotes a prefix (subnet), meaning a block of addresses that all start with the same n bits. An address without a slash is a host address. You may think of such an address as having an implied /128 at the end, meaning all 128 bits are specified.

The percent sign accompanies a link-local address. In IPv6, every interface has a link-local address in addition to any other IP addresses it might have. But the thing is, link-local addresses are always, without exception, in the fe80::/10 block. But if we attempt to talk to a peer using a link local address and the local host has multiple interfaces, how are we to know which interface to use to talk to this peer? Normally the routing table tells us which interface to use for a particular prefix, but here it will tell us than fe80::/10 is reachable via every interface.

The answer is that we must tell it which interface to use using the syntax address%interface. For example, fe80::1234:5678:8765:4321%eth0.

Am I wasting too many subnets? Aren't we just going to run out again?

Nobody knows. Who can tell the future?

But consider this. In IPv6 the number of available subnets is the square of the number of available individual addresses in IPv4. That's really quite a lot. No, I mean really quite a lot!

But still: we are automatically handing out a /32 to any ISP who requests one, we are handing out a /48 to every single ISP customer. Perhaps we're exaggerating and we will squander IPv6 after all. But there is a provision for this: Only one eighth of the IPv6 space has been made available for use so far: 2000::/3. The idea is that if we make a horrible mess of the first eighth and we have to drastically revise the liberal allocation policies, we get to try 7 more times before we're in trouble.

And finally: IPv6 doesn't have to last forever. Perhaps it will have a longer lifetime than IPv4 (an impressive lifetime already and it's not over) but like every technology it will someday stop mattering. We only need to make it until then.

CentOS Iptables Fail2Ban – Fix ‘Set Does Not Exist’ Error in Fail2Ban

The ipset command requires IP SET support in the kernel. Specifically, you would be looking for the following settings:

CONFIG_IP_SET=m
CONFIG_IP_SET_HASH_IP=m

And it seems that your kernel is built without ipset support, or at the least, it cannot find these modules. Solve that issue and your error should go away.

Try running find /lib/modules/$(uname -r) -name ip_set.ko to see if you current kernel supports them, and also find /lib/modules -name ip_set.ko to see if any of the installed kernel supports them.

If you need more help, you would have to tell us:

What version of CentOS you are using
What kernel you are running
How you installed fail2ban (from the EPEL repository or manually?)

I should also note that the version of ipset reported in your question (6.19) is what CentOS 7 comes with, so if you are using the original kernel and fail2ban from the EPEL repo everything should just work.

CentOS 6.5 also has support for ip sets and fail2ban is available in EPEL for CentOS 6. These should also work fine.

However, if you are running CentOS 5, then you are likely out of luck. You may have some luck building the modules that ipset comes with, but I am not sure the CentOS 5 kernel is supported at all. If you actually managed to pull that off, and later upgraded the kernel, then it is just a matter of rebuilding the modules for the new kernel.

Best Answer

Related Solutions

IPv6 – How IPv6 Subnetting Works and Differs from IPv4 Subnetting

Why is it recommended to use /127 for point to point links?

Why would virtual machines be provisioned with subnets narrower than /64?

Can I map directly from IPv4 subnets to IPv6 subnets? For instance, does an IPv4 /24 correspond directly to an IPv6 /56 or /120?