| View previous topic :: View next topic |
| Author |
Message |
rsa4046
l33t
Joined: 07 Feb 2005
Posts: 660
Location: The Big H, a bit SSW
|
 Posted: Thu Jul 28, 2016 6:06 pm Post subject: ipset and kernel modules conflict? [SOLVED] |
 |
|
Trying to emerge ipset, which is (at least as I understand from here ) the user utility to manipulate ipsets within the linux kernel. Per Gentoo's IPSet Wiki page, one needs the following in kernel settings: | Code: | [*] Networking support --->
Networking options --->
[*] Network packet filtering framework (Netfilter) --->
<M> IP set support --->
Core Netfilter Configuration --->
<M> set target and match support |
I do indeed have IPSET support: | Code: | # grep CONFIG_IP_SET .config
CONFIG_IP_SET=m
...
CONFIG_IP_SET_HASH_NET=m |
and target and match support | Code: | # grep CONFIG_NETFILTER_XT_SET .config
CONFIG_NETFILTER_XT_SET=m |
and of course the sets I wants to apply, in my case: | Code: | <M> IP set support --->
<M> hash:net set support |
So far so good. However, portage complains that the package requires the following: | Code: | # emerge -va ipset
These are the packages that would be merged, in order:
Calculating dependencies... done!
[ebuild N ] net-firewall/ipset-6.24::gentoo USE="modules" 0 KiB
Total: 1 package (1 new), Size of downloads: 0 KiB
Would you like to merge these packages? [Yes/No] y
>>> Verifying ebuild manifests
>>> Emerging (1 of 1) net-firewall/ipset-6.24::gentoo
* ipset-6.24.tar.bz2 SHA256 SHA512 WHIRLPOOL size ;-) ... [ ok ]
* Determining the location of the kernel source code
* Found kernel source directory:
* /usr/src/linux
* Found kernel object directory:
* /lib/modules/4.6.4-gentoo/build
* Found sources for kernel version:
* 4.6.4-gentoo
* There is IP{,_NF}_SET or NETFILTER_XT_SET support in your kernel.
* Please either build ipset with modules USE flag disabled
* or rebuild kernel without IP_SET support and make sure
* there is NO kernel ip_set* modules in /lib/modules/<your_kernel>/... .
* ERROR: net-firewall/ipset-6.24::gentoo failed (setup phase):
* USE=modules and in-kernel ipset support detected.
*
* Call stack:
* ebuild.sh, line 133: Called pkg_setup
* ipset-6.24.ebuild, line 48: Called die
* The specific snippet of code:
* die "USE=modules and in-kernel ipset support detected."
*
* If you need support, post the output of `emerge --info '=net-firewall/ipset-6.24::gentoo'`,
* the complete build log and the output of `emerge -pqv '=net-firewall/ipset-6.24::gentoo'`.
* The complete build log is located at '/var/tmp/portage/net-firewall/ipset-6.24/temp/build.log'.
* The ebuild environment file is located at '/var/tmp/portage/net-firewall/ipset-6.24/temp/die.env'.
* Working directory: '/usr/lib64/python2.7/site-packages'
* S: '/var/tmp/portage/net-firewall/ipset-6.24/work/ipset-6.24'
|
In other words, USE=modules and in-kernel ipset support are mutally exclusive. But this seems at odds with the wiki. Can anyone give me some guidance here?
_________________
I love gentoo, but I am certainly no guru, despite what it says above.
Last edited by rsa4046 on Fri Jul 29, 2016 4:58 pm; edited 1 time in total |
|
| Back to top |
|
 |
Syl20
l33t
Joined: 04 Aug 2005
Posts: 619
Location: France
|
| Posted: Fri Jul 29, 2016 12:36 pm Post subject: Re: ipset and kernel modules conflict? |
|
|
| rsa4046 wrote: | | Code: | * Found sources for kernel version:
* 4.6.4-gentoo |
|
Certainly a dumb question, but is it the right kernel version ? |
|
| Back to top |
|
|
rsa4046
l33t
Joined: 07 Feb 2005
Posts: 660
Location: The Big H, a bit SSW
|
| Posted: Fri Jul 29, 2016 4:57 pm Post subject: Re: ipset and kernel modules conflict? [SOLVED] |
|
|
| Syl20 wrote: | | rsa4046 wrote: | | Code: | * Found sources for kernel version:
* 4.6.4-gentoo |
|
Certainly a dumb question, but is it the right kernel version ? |
Hi Syl20, thanks for the reply. I checked this, and upgraded the kernel as well: | Code: | $ uname -a
Linux dolomit 4.7.0-gentoo #3 SMP PREEMPT Fri Jul 29 16:42:18 CEST 2016 x86_64 Intel(R) Xeon(R) CPU E5-1650 0 @ 3.20GHz GenuineIntel GNU/Linux |
but with same complaint by portage.
Next I did as portage insisted, and removed support for IP_SET and NETFILTER_XT_SET and rebuilt the kernel. With this, some progress: the build phase succeeded, but then failed at the install (modules) step.
In the end I just turned off the modules USE flag -- this did succeed: | Code: | # eix ipset -I
[I] net-firewall/ipset
Available versions: 6.24 {modules KERNEL="linux"}
Installed versions: 6.24(05:15:02 PM 07/29/2016)(-modules KERNEL="linux")
Homepage: http://ipset.netfilter.org/
Description: IPset tool for iptables, successor to ippool |
I guess I misunderstood how the tool works, in that it handles all ipset functions, whereas I thought its purpose was simply to administer kernel modules. Anways, I created ipset rules, saved them, started ipset, and then (as described in the wiki) added this set to iptables rules. So it does work, guess I just confused myself over the details of who has doing what. Solved. |
|
| Back to top |
|
|
gordonb3
Apprentice
Joined: 01 Jul 2015
Posts: 185
|
| Posted: Thu Aug 04, 2016 1:51 pm Post subject: |
|
|
| How about setting USE="-modules" for the ipset package? |
|
| Back to top |
|
|
rsa4046
l33t
Joined: 07 Feb 2005
Posts: 660
Location: The Big H, a bit SSW
|
| Posted: Thu Aug 04, 2016 4:04 pm Post subject: |
|
|
| gordonb3 wrote: | | How about setting USE="-modules" for the ipset package? |
Hi Gordon, thanks for the reply. That's exactly what I did, and indeed this worked just fine. I believe I just misunderstood the functionality of the package itself and the way it interacts with the kernel modules. With | Code: | | net-firewall/ipset -modules |
in /etc/portage/package.use, ipset installs and works great, really useful. Thanks again-- 
_________________
I love gentoo, but I am certainly no guru, despite what it says above. |
|
| Back to top |
|
|
gordonb3
Apprentice
Joined: 01 Jul 2015
Posts: 185
|
| Posted: Thu Aug 04, 2016 6:16 pm Post subject: |
|
|
| Obviously Gentoo is all source. The "problem" with this particular package being that the custom kernel modules made it to mainstream. The logical choice here is to use the modules (or build ins) from the kernel source because you are likely to use your old config if you are building a new kernel and consequently will not have to rebuild the ipset package when switching kernels. Every now and then I still tend to forget that I need to rebuild other packages when upgrading a kernel and e.g. the firewall doesn't start because I have a xtables target in my rules that Linus annoyingly keeps refuses to add to the kernel sources. And I'm using that target for some twenty years now! |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
