Description of problem: IPTABLES has long been included in Fedora. IPSET is an optional component of IPTABLES (like many optional ones that *are* included by default in Fedora's iptables build/package) that dramatically improves administrative and operational efficiency of IPTABLES rule set generation and processing, allowing one to define rules based on sets of adddresses at a time. The existing documentation / manpage for iptables in FC5 refers to IPSET, though the commands / functionality appears to be absent in the iptables distributed. Adding ipset in to the distribution would be easy and would facilitate many sysadmins usages where efficient filtering operations on sets of addresses need to be done, and would be without impact / risk to any users not making use of that modular functionality. Adding ipset "manually" to a distribution which lacks it, however, is difficult in that replacing / recompiling against low level packages such as iptables, the kernel, et. al. must be done, causing down time and requiring significant specialized knowledge and time. Thanks & keep up the good work! http://www.netfilter.org/projects/ipset/index.html What is ipset? IP sets are a framework inside the Linux 2.4.x and 2.6.x kernel, which can be administered by the ipset utility. Depending on the type, currently an IP set may store IP addresses, (TCP/UDP) port numbers or IP addresses with MAC addresses in a way, which ensures lightning speed when matching an entry against a set. If you want to * store multiple IP addresses or port numbers and match against the collection by iptables at one swoop * dynamically update iptables rules against IP addresses or ports without performance penalty * express complex IP address and ports based rulesets with one single iptables rule and benefit from the speed of IP sets then ipset may be the proper tool for you. http://ipset.netfilter.org/ IP sets are a framework inside the Linux 2.4.x and 2.6.x kernel, which can be administered by the ipset utility. Depending on the type, currently an IP set may store IP addresses, (TCP/UDP) port numbers or IP addresses with MAC addresses in a way, which ensures lightning speed when matching an entry against a set. If you want to * store multiple IP addresses or port numbers and match against the collection by iptables at one swoop; * dynamically update iptables rules against IP addresses or ports without performance penalty; * express complex IP address and ports based rulesets with one single iptables rule and benefit from the speed of IP sets then ipset may be the proper tool for you. IP sets was written by Jozsef Kadlecsik and it is based on ippool by Joakim Axelsson, Patrick Schaaf and Martin Josefsson. Many thanks to them for their wonderful work! Version-Release number of selected component (if applicable): How reproducible: Steps to Reproduce: 1. 2. 3. Actual results: Expected results: Additional info:
ipset requires big kernel patches from patch-o-matic-ng. I am sorry, but for now, this is not possible. Deferring for now.
Its now Feb 23, 2010. Its been 4 years since this request. Its about 2.5 years since its been "Deferred". I have been running with it since Fedora 4. Now I have upgrade one machine to fedora 12, i am RATHER surprised that this firewall/iptable management tool is not included. So is it still Deferred? It wasnt that difficult whan I installed the feature so many years ago.
Please open a bug against kernel. It has to be added there first.
This issue/request was opened as a bug against the kernel in june 2006 - first. What has changed so that this request does not become (IMHO) improperly "Closed Deferred" again?
ipset modules was accepted in kernel 2.6.39, ipest 6.5 could be packaged for fedora 16 now.
*** This bug has been marked as a duplicate of bug 706624 ***