ipset is not useful in ubuntu, because kernel and iptables do not support it.

I also wanted to use this package, but haven't even tried to install it after reading your bug report. I suspected that Ubuntu might not contain ipset patch...

This would be a great addition, although I'm not a kernel hacker and I'm not sure what's the impact of this patch, IMO it has to be decided how to proceed here.

My use case is that I set up Shorewall and want to use its built-in support for ipset to see how it performs with large rulesets - supposed to be very promising. But without manual kernel recompilation, it's not something you can do on Ubuntu now.

I've also looked at this for several projects, but I was somewhat confused that Ubuntu had the userspace tools, but not the kernelspace implementation compiled in...

I went to try it on Ubuntu then, and what a waste of time, why build the userspace tools and no kernel module...

Forgot to mention, thankfully iptables-restore is reasonably quick on a large > 6000 IP blacklist

Tested on 7.10 with same results - the kernel-space is missing...

Seems like it's the same issue in both 8.04 and current 8.10 release.
I was hoping to use this in my firewall, but no luck :-|

Should have been 8.10 _Alpha_ release above

Is there any progress on this. I dont understand the process for getting this sorted but from what I can tell the ip_set module needs to either be built and included with the kernel or as another package, without this the ipset package should probably be flagged for removal.

It seems like bug reports are handled by incompetent idiot. This bug report exists for about two years now and noone assigned even priority to it. I can confirm that this bug exist in ubuntu 8.04.2.

I don't want to recompile kernel and iptables every time I'm installing new version -- so would you please start doing something about this bug? Thanks.

Seems in 9.10 you can use module assistant to build ipset from source. Package named "ipset-source"

Turns out the Debian 'fixme' is to install the 'netfilter-extensions-source' package.

It's contents:
dpkg -L netfilter-extensions-source
/usr
/usr/src
/usr/src/netfilter-extensions.tar.bz2
/usr/share
/usr/share/doc
/usr/share/doc/netfilter-extensions-source
/usr/share/doc/netfilter-extensions-source/copyright
/usr/share/doc/netfilter-extensions-source/changelog.Debian.gz

Viewing the Debian changelog yields no useful information as to how to proceed. Neither does the .tar.bz2.

Ipset package is unusuable, but you can get this software another way:
- install package xtables-addons-source
- build it with module-assistant auto-install (you can shorten it to m-a a-i) xtables-addons

Works in Ubuntu Karmic (9.10) by building the ipset module (package 'ipset_source') with module-assistant:

sudo -i
apt-get install ipset ipset_source
module-assistant prepare
module-assistant build ipset
module-assistant install ipset
exit

ip sets can then be created and used as per documentation. See http://ubuntuforums.org/showthread.php?t=1590923 for an example.

The above steps in #13 do not fix the problem for 10.04 LTS. This is quite a useful feature for firewalls such as shorewall to leverage quick and easy changes to blacklists.

No one of ipset-source and xtables-addons-sources compiles in Ubuntu 10.10.

When compiling, error ‘struct xt_match_param’ declared happens.

Please include ipset module in Server kernel.
because this is very important netfilter module.

compiling xtables-addons fail:

In file included from /usr/src/modules/xtables-addons/compat_xtables.c:21:
/usr/src/modules/xtables-addons/compat_xtnu.h:87: warning: ‘struct xt_match_param’ declared inside parameter list
/usr/src/modules/xtables-addons/compat_xtnu.h:87: warning: its scope is only this definition or declaration, which is probably not what you want
/usr/src/modules/xtables-addons/compat_xtnu.h:103: warning: ‘struct xt_target_param’ declared inside parameter list
/usr/src/modules/xtables-addons/compat_xtables.c:212: warning: ‘struct xt_target_param’ declared inside parameter list
/usr/src/modules/xtables-addons/compat_xtables.c: In function ‘xtnu_target_run’:
/usr/src/modules/xtables-addons/compat_xtables.c:226: error: dereferencing pointer to incomplete type
/usr/src/modules/xtables-addons/compat_xtables.c:235: warning: passing argument 2 of ‘nt->target’ from incompatible pointer type
/usr/src/modules/xtables-addons/compat_xtables.c:235: note: expected ‘const struct xt_target_param *’ but argument is of type ‘const struct xt_target_param *’
/usr/src/modules/xtables-addons/compat_xtables.c: In function ‘xtnu_register_target’:
/usr/src/modules/xtables-addons/compat_xtables.c:327: warning: assignment from incompatible pointer type

compiling ipset fail:

/usr/src/modules/ipset/ipt_set.c:89: warning: ‘struct xt_match_param’ declared inside parameter list
/usr/src/modules/ipset/ipt_set.c:89: warning: its scope is only this definition or declaration, which is probably not what you want
/usr/src/modules/ipset/ipt_set.c: In function ‘match’:
/usr/src/modules/ipset/ipt_set.c:95: error: dereferencing pointer to incomplete type
/usr/src/modules/ipset/ipt_set.c: At top level:
/usr/src/modules/ipset/ipt_set.c:215: warning: initialization from incompatible pointer type
/usr/src/modules/ipset/ipt_set.c:217: warning: initialization from incompatible pointer type

So, ipset module can not be compiled in Ubuntu !!!

Can confirm that this cannot build on 10.10.

Would really like to get this module included in the kernel, there are just so many uses for "sets" of ip addresses (blacklisting being at the top of my list).

I automatically blacklist ip's for portscans etc and my current blacklist sits at just over 8000 IP's...

I have ipset working under 10.10, though without the default Ubuntu packages. I don't understand how the debbugs #485182 upstream report is closed as "Fix Released".

I spent some time on #Netfilter on IRC, and have "sqft" (Jan Engelhardt?) to thank for most of this information.

First, to clarify - by default, even with the use of kernel modules, ipset still requires a kernel patch (netlink.patch) from the ipset sources for the module to work. This patch is not yet in any known released kernel version. However, it is checked into one of the trees at kernel.org, shown at http://git.kernel.org/?p=linux/kernel/git/kaber/nf-next-2.6.git;a=commit;h=f703651ef870bd6b94ddc98ae07488b7d3fd9335 . Per sqft, this should move to davem/net-next, then finally pulled into linus/master. Apparently, this should happen within about 10 weeks, but will miss the upcoming 2.6.38 kernel, which is already in RC status, and which I understand will be the kernel in Natty (11.04). The good news of all this is that this patch should be ready for the following 11.10 release, at which point to more kernel patching would be necessary, if I understand all this correctly.

Given the trivial nature of this patch (4 edits across 2 files), the interest in this bug report, and that this patch should be included in the following kernel release anyway - I wonder if Ubuntu might be able to include this patch for the 11.04 release, as the kernel is rebuilt for Ubuntu anyway. This would prevent most users from having to wait another 6 months for a usable ipset. For users such as myself who plan to patch their kernel for this, it would save us from having to re-compile with each subsequent kernel update.

If including this kernel patch is not possible, I would think that the ipset packages should be removed from Ubuntu, as I don't see how they can be used until this patch is included.

As noted by Igor in the comments above and also suggested by sqft, the xtables-addons project should be able to support ipset without requiring kernel patching, as it uses genlink instead of netlink for the kernel/user-space communications. Again, without using the packages supplied by Ubuntu, I tried using both the ipset 5.4.1-genl and 6.0-genl packages from http://dev.medozas.de/gitweb.cgi?p=ipset (as I only wanted ipset, and not everything else in xtables-addons). While both compiled without issue, both "make tests" and several attempts at actual use failed with a "Kernel error received: Resource temporarily unavailable" error. So the "genlink" patches appear suspect for ipset.

After patching the kernel and re-compiling the kernel, I was able to successfully build and use ipset 6.0. I also updated iptables from 1.4.4 to 1.4.10 for IPv6 support in ipset, per ipset's README - though I've not yet tested IPv6 functionality with ipset.

IP-set has been merged for the coming 2.6.39 release, which should make these package usable by default.
I'd suggest enabling the feature in the kernel, and that someone verifies which user-land sources are needed
to manage the kernel functionality.

note this webpage describes a workaround that works for maverick - http://pepoluan.posterous.com/powertip-howto-install-ipset-on-ubuntu

I haven't tested it on natty

FYI, ipset is working in Oneiric with iptables v1.4.10 and xtables-addons v1.35, under kernel 3.0.0-10.

It'd be great if someone else could confirm.

Yes, xtables-addons working with ipset, BUT xtables not included in ubuntu.
I'm using xtables-addons as workaround too..

Marking the iptables task as Fix Released as /lib/xtables/libxt_set.so is shipped now.

Kernel module is in 12.04, ipset will be updated.

See bug 979682 for newer ipset.

Fixed in 12.04, reopen if needed.

Detected an error with ipset utility :
ipset v4.5, protocol version 4.
ipset v4.5: Kernel ip_set module is of protocol version 6.I'm of protocol version 4.
Please upgrade your kernel and/or ipset(8) utillity.

That's running a FirewallBuilder script on Ubuntu 11.10. So the ipset utility does not match the 3.0.0-20-virtual kernel.

It's fixed on Ubuntu 12.04.