This service will be undergoing maintenance at 00:00 UTC, 2016-09-28. It is expected to last about 1 hours
Bug 196234 - Feature Request: Please Include netfilter "ipset" tools in fc6 "iptables" build!
Feature Request: Please Include netfilter "ipset" tools in fc6 "iptables" build!
Status: CLOSED DUPLICATE of bug 706624
Product: Fedora
Classification: Fedora
Component: iptables (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: James Antill
Ben Levenson
http://www.netfilter.org/projects/ips...
: FutureFeature, Reopened
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2006-06-22 02:10 EDT by c.h.
Modified: 2011-11-18 22:29 EST (History)
4 users (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2011-05-23 12:02:25 EDT
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:


Attachments (Terms of Use)

  None (edit)
Description c.h. 2006-06-22 02:10:28 EDT
Description of problem:

IPTABLES has long been included in Fedora.

IPSET is an optional component of IPTABLES (like many optional ones that *are*
included by default in Fedora's iptables build/package) that dramatically improves
administrative and operational efficiency of IPTABLES rule set generation
and processing, allowing one to define rules based on sets of adddresses at a time.

The existing documentation / manpage for iptables in FC5 refers to IPSET, though
the commands / functionality appears to be absent in the iptables distributed.

Adding ipset in to the distribution would be easy and would facilitate many
sysadmins usages where efficient filtering operations on sets of addresses
need to be done, and would be without impact / risk to any users not making
use of that modular functionality.

Adding ipset "manually" to a distribution which lacks it, however, is difficult
in that replacing / recompiling against low level packages such as iptables,
the kernel, et. al. must be done, causing down time and requiring significant
specialized knowledge and time.

Thanks & keep up the good work!

http://www.netfilter.org/projects/ipset/index.html

What is ipset?

IP sets are a framework inside the Linux 2.4.x and 2.6.x kernel, which can be
administered by the ipset utility. Depending on the type, currently an IP set
may store IP addresses, (TCP/UDP) port numbers or IP addresses with MAC
addresses in a way, which ensures lightning speed when matching an entry against
a set.

If you want to

    * store multiple IP addresses or port numbers and match against the
collection by iptables at one swoop
    * dynamically update iptables rules against IP addresses or ports without
performance penalty
    * express complex IP address and ports based rulesets with one single
iptables rule and benefit from the speed of IP sets

then ipset may be the proper tool for you. 

http://ipset.netfilter.org/

IP sets are a framework inside the Linux 2.4.x and 2.6.x kernel, which can be
administered by the ipset utility. Depending on the type, currently an IP set
may store IP addresses, (TCP/UDP) port numbers or IP addresses with MAC
addresses in a way, which ensures lightning speed when matching an entry against
a set.

If you want to

    * store multiple IP addresses or port numbers and match against the
collection by iptables at one swoop;
    * dynamically update iptables rules against IP addresses or ports without
performance penalty;
    * express complex IP address and ports based rulesets with one single
iptables rule and benefit from the speed of IP sets 

then ipset may be the proper tool for you.

IP sets was written by Jozsef Kadlecsik and it is based on ippool by Joakim
Axelsson, Patrick Schaaf and Martin Josefsson.
Many thanks to them for their wonderful work! 


Version-Release number of selected component (if applicable):


How reproducible:


Steps to Reproduce:
1.
2.
3.
  
Actual results:


Expected results:


Additional info:
Comment 1 Thomas Woerner 2007-08-02 07:58:50 EDT
ipset requires big kernel patches from patch-o-matic-ng. I am sorry, but for
now, this is not possible.

Deferring for now.
Comment 2 netbeans 2010-02-23 12:40:24 EST
Its now Feb 23, 2010. Its been 4 years since this request.  Its about 2.5 years since its been "Deferred". 
I have been running with it since Fedora 4. 
Now I have upgrade one machine to fedora 12, i am RATHER surprised that this firewall/iptable management tool is not included. 

So is it still Deferred? It wasnt that difficult whan I installed the feature so many years ago.
Comment 3 Thomas Woerner 2010-06-02 11:25:38 EDT
Please open a bug against kernel. It has to be added there first.
Comment 4 netbeans 2010-06-02 11:49:29 EDT
This issue/request was opened as a bug against the kernel in june 2006 - first.

What has changed so that this request does not become (IMHO) improperly "Closed Deferred" again?
Comment 5 Chen Lei 2011-05-23 11:55:00 EDT
ipset modules was accepted in kernel 2.6.39, ipest 6.5 could be packaged for fedora 16 now.
Comment 6 Chen Lei 2011-05-23 12:02:25 EDT

*** This bug has been marked as a duplicate of bug 706624 ***

Note You need to log in before you can comment on or make changes to this bug.