Ubuntu
iptables package

Bug #79182
Comment #19

Comment 19 for bug 79182

Revision history for this message

Mark A. Ziesemer (ziesemer) wrote on 2011-02-26:

#19

I have ipset working under 10.10, though without the default Ubuntu packages. I don't understand how the debbugs #485182 upstream report is closed as "Fix Released".

I spent some time on #Netfilter on IRC, and have "sqft" (Jan Engelhardt?) to thank for most of this information.

First, to clarify - by default, even with the use of kernel modules, ipset still requires a kernel patch (netlink.patch) from the ipset sources for the module to work. This patch is not yet in any known released kernel version. However, it is checked into one of the trees at kernel.org, shown at http://git.kernel.org/?p=linux/kernel/git/kaber/nf-next-2.6.git;a=commit;h=f703651ef870bd6b94ddc98ae07488b7d3fd9335 . Per sqft, this should move to davem/net-next, then finally pulled into linus/master. Apparently, this should happen within about 10 weeks, but will miss the upcoming 2.6.38 kernel, which is already in RC status, and which I understand will be the kernel in Natty (11.04). The good news of all this is that this patch should be ready for the following 11.10 release, at which point to more kernel patching would be necessary, if I understand all this correctly.

Given the trivial nature of this patch (4 edits across 2 files), the interest in this bug report, and that this patch should be included in the following kernel release anyway - I wonder if Ubuntu might be able to include this patch for the 11.04 release, as the kernel is rebuilt for Ubuntu anyway. This would prevent most users from having to wait another 6 months for a usable ipset. For users such as myself who plan to patch their kernel for this, it would save us from having to re-compile with each subsequent kernel update.

If including this kernel patch is not possible, I would think that the ipset packages should be removed from Ubuntu, as I don't see how they can be used until this patch is included.

As noted by Igor in the comments above and also suggested by sqft, the xtables-addons project should be able to support ipset without requiring kernel patching, as it uses genlink instead of netlink for the kernel/user-space communications. Again, without using the packages supplied by Ubuntu, I tried using both the ipset 5.4.1-genl and 6.0-genl packages from http://dev.medozas.de/gitweb.cgi?p=ipset (as I only wanted ipset, and not everything else in xtables-addons). While both compiled without issue, both "make tests" and several attempts at actual use failed with a "Kernel error received: Resource temporarily unavailable" error. So the "genlink" patches appear suspect for ipset.

After patching the kernel and re-compiling the kernel, I was able to successfully build and use ipset 6.0. I also updated iptables from 1.4.4 to 1.4.10 for IPv6 support in ipset, per ipset's README - though I've not yet tested IPv6 functionality with ipset.

I have ipset working under 10.10, though without the default Ubuntu packages.  I don't understand how the debbugs #485182 upstream report is closed as "Fix Released".

I spent some time on #Netfilter on IRC, and have "sqft" (Jan Engelhardt?) to thank for most of this information.

First, to clarify - by default, even with the use of kernel modules, ipset still requires a kernel patch (netlink.patch) from the ipset sources for the module to work.  This patch is not yet in any known released kernel version.  However, it is checked into one of the trees at kernel.org, shown at http://git.kernel.org/?p=linux/kernel/git/kaber/nf-next-2.6.git;a=commit;h=f703651ef870bd6b94ddc98ae07488b7d3fd9335 .  Per sqft, this should move to davem/net-next, then finally pulled into linus/master.  Apparently, this should happen within about 10 weeks, but will miss the upcoming 2.6.38 kernel, which is already in RC status, and which I understand will be the kernel in Natty (11.04).  The good news of all this is that this patch should be ready for the following 11.10 release, at which point to more kernel patching would be necessary, if I understand all this correctly.

Given the trivial nature of this patch (4 edits across 2 files), the interest in this bug report, and that this patch should be included in the following kernel release anyway - I wonder if Ubuntu might be able to include this patch for the 11.04 release, as the kernel is rebuilt for Ubuntu anyway.  This would prevent most users from having to wait another 6 months for a usable ipset.  For users such as myself who plan to patch their kernel for this, it would save us from having to re-compile with each subsequent kernel update.

If including this kernel patch is not possible, I would think that the ipset packages should be removed from Ubuntu, as I don't see how they can be used until this patch is included.

As noted by Igor in the comments above and also suggested by sqft, the xtables-addons project should be able to support ipset without requiring kernel patching, as it uses genlink instead of netlink for the kernel/user-space communications.  Again, without using the packages supplied by Ubuntu, I tried using both the ipset 5.4.1-genl and 6.0-genl packages from http://dev.medozas.de/gitweb.cgi?p=ipset (as I only wanted ipset, and not everything else in xtables-addons).  While both compiled without issue, both "make tests" and several attempts at actual use failed with a "Kernel error received: Resource temporarily unavailable" error.  So the "genlink" patches appear suspect for ipset.

After patching the kernel and re-compiling the kernel, I was able to successfully build and use ipset 6.0.  I also updated iptables from 1.4.4 to 1.4.10 for IPv6 support in ipset, per ipset's README - though I've not yet tested IPv6 functionality with ipset.

Ubuntuiptables package

Comment 19 for bug 79182

Ubuntu
iptables package