Arch teams, please, stabilize net-firewall/ipset-4.5, net-firewall/ipset-6.8. Thank you in advance.
Added net-libs/libmnl-1.0.1 in the summary because is pulled in.
amd64: yes it requires net-libs/libmnl-1.0.1 for net-firewall/ipset-6.8 net-firewall/ipset-4.5 all ok. net-firewall/ipset-6.8 appears premature. On emerging; yields * # patch -i /mnt/gen2/tmpdir/portage/net-firewall/ipset-6.8/work/ipset-6.8/netlink.patch -p1 This is against a stable 2.6.38 * 38 kernel. To test, emerged in gentoo testing against a kernel-3.0.0, which emerged ok. It would appear that the ipset-6.8 requires not only libmnl-1.0.1 to be stabalised along with it but the kernel-3. aswell
Created attachment 285711 [details] "make tests" fail Archtested amd64 (mixed tree, stable kernel .39 & iptables). Everything seems fine (emerge, basic usage), however "make tests" is failing.
(In reply to comment #3) > Created attachment 285711 [details] > "make tests" fail > > Archtested amd64 (mixed tree, stable kernel .39 & iptables). > Everything seems fine (emerge, basic usage), however "make tests" is failing. Forgot to state that I tested both versions and failing one was 6.8
(In reply to comment #3) > Everything seems fine (emerge, basic usage), however "make tests" is failing. Peter, please confirm whether this is a regression or not. If not, I am happy to keyword. If it is, please address and revbump. Thank you.
I get no failing tests here on x86! xtables-addons from bug 381611 depens on libmnl-1.0.1... One thing for ipset: ipset-6.8 errors out with: "There is IP_SET support in your kernel. Please build ipset with modules USE flag disabled or you may have troubles loading correct modules." And if i just unset IP_SET within the kernel 2.6.39-gentoo-r3 i get the messages below and am not able to load all modules... This also present in older versions (4.4/4.5), if IP_SET is NOT set in kernel! If it is set, it seems ok/loads. WARNING: //lib/modules/2.6.39-gentoo-r3/kernel/net/netfilter/ipset/ip_set_list_set.ko needs unknown symbol ip_set_add WARNING: //lib/modules/2.6.39-gentoo-r3/kernel/net/netfilter/ipset/ip_set_list_set.ko needs unknown symbol ip_set_test WARNING: //lib/modules/2.6.39-gentoo-r3/kernel/net/netfilter/ipset/ip_set_list_set.ko needs unknown symbol ip_set_name_byindex WARNING: //lib/modules/2.6.39-gentoo-r3/kernel/net/netfilter/ipset/ip_set_list_set.ko needs unknown symbol ip_set_del WARNING: //lib/modules/2.6.39-gentoo-r3/kernel/net/netfilter/ipset/ip_set_list_set.ko needs unknown symbol ip_set_type_register WARNING: //lib/modules/2.6.39-gentoo-r3/kernel/net/netfilter/ipset/ip_set_list_set.ko needs unknown symbol ip_set_type_unregister WARNING: //lib/modules/2.6.39-gentoo-r3/kernel/net/netfilter/ipset/ip_set_hash_ipportip.ko needs unknown symbol ip_set_hostmask_map WARNING: //lib/modules/2.6.39-gentoo-r3/kernel/net/netfilter/ipset/ip_set_hash_ipportip.ko needs unknown symbol ip_set_get_ip6_port WARNING: //lib/modules/2.6.39-gentoo-r3/kernel/net/netfilter/ipset/ip_set_hash_ipportip.ko needs unknown symbol ip_set_get_ipaddr6 WARNING: //lib/modules/2.6.39-gentoo-r3/kernel/net/netfilter/ipset/ip_set_hash_ipportip.ko needs unknown symbol ip_set_get_ipaddr4 WARNING: //lib/modules/2.6.39-gentoo-r3/kernel/net/netfilter/ipset/ip_set_hash_ipportip.ko needs unknown symbol ip_set_alloc WARNING: //lib/modules/2.6.39-gentoo-r3/kernel/net/netfilter/ipset/ip_set_hash_ipportip.ko needs unknown symbol ip_set_type_register WARNING: //lib/modules/2.6.39-gentoo-r3/kernel/net/netfilter/ipset/ip_set_hash_ipportip.ko needs unknown symbol ip_set_get_ip4_port WARNING: //lib/modules/2.6.39-gentoo-r3/kernel/net/netfilter/ipset/ip_set_hash_ipportip.ko needs unknown symbol ip_set_type_unregister WARNING: //lib/modules/2.6.39-gentoo-r3/kernel/net/netfilter/ipset/ip_set_hash_ipportip.ko needs unknown symbol ip_set_free
Well, I think it's Ok to stabilize this even if tests fail. Actually ipset are really too binded to kernel and this makes impossible to test all configurations. For me it fails even more with 3.0.4 kernel and although I'm going to work with upstream on this issue it's still good package to have stable (and it works in production). Probably I need to discuss if it's good idea to use kernel modules even for kernels with ipset modules in them. Andreas, your depmod-failures are expected. It looks like although you rebuilt kernel without IPSET support there are previously built modules inside /lib/modules/2.6.39-gentoo-r3/kernel/net/netfilter/ipset. What happens if you clear /lib/modules/2.6.39-gentoo-r3/ (or just /lib/modules/2.6.39-gentoo-r3/kernel/net/netfilter/ipset) and then rebuild kernel and ipset (or probably only ipset)? So, arch teams, please, stabilize even if there are some test failures. Still I am interested in kernel versions and configurations you've tested with, thus, please, attach them here. Tnx.
Created attachment 286457 [details] ipset-6.8 on 2.6.39-r3 USE=modules hmm... :-/
http://netfilter.org/documentation/HOWTO/netfilter-extensions-HOWTO-4.html quote 4.3 NETLINK patch This patch by Gianni Tedesco <gianni@ecsc.co.uk> adds a new target that allows you to send dropped packets to userspace via a netlink socket. For example, if you want to drop all pings and send them to a userland netlink socket instead, you can do as follows : # iptables -A INPUT -p icmp --icmp-type echo-request -j NETLINK --nldrop # iptables --list Chain INPUT (policy ACCEPT) target prot opt source destination NETLINK icmp -- anywhere anywhere icmp echo-request nldrop Supported options for the NETLINK target are : --nldrop -> Drop the packet too --nlmark <number> -> Mark the packet --nlsize <bytes> -> Limit packet size For more information on netlink sockets, you can refer to the Netlink Sockets Tour. /quote
(In reply to comment #8) > Created attachment 286457 [details] > ipset-6.8 on 2.6.39-r3 USE=modules > > hmm... :-/ Remove modules installed by xtables_addons. There problem with your system is that you have same modules from different sources and this will never work as it should.
David, I guess you've posted to the wrong bug. Please don't forget to update correct one :)
(In reply to comment #10) > Remove modules installed by xtables_addons. There problem with your system is > that you have same modules from different sources and this will never work as > it should. You are right, there was something still around (from xtables-addons i suppose, even it was emerge -C ed). I now rm'd my /lib/modules/* and rebuilt the kernel. Now it is working properly! :-) I made the depend on bug 381611 because of net-libs/libmnl-1.0..1, which is also needed for xtables-addons! This is just to keep the right order of stablization bugs... If you read the comment #2 on bug 382499, then one has to set some inter-dependency, otherwise the work for libmnl would be done twice! :-/ The nicest thing would be a separate bug for libmnl i think... x86 stable, thanks!
+ 16 Sep 2011; Tony Vroon <chainsaw@gentoo.org> libmnl-1.0.1.ebuild: + Marked stable on AMD64 based on arch testing by Ian "idella4" Delaney & + Tomáš "Mepho" Pružina in bug #381613. + 16 Sep 2011; Tony Vroon <chainsaw@gentoo.org> ipset-4.5.ebuild, + ipset-6.8.ebuild: + Marked stable on AMD64 based on arch testing by Ian "idella4" Delaney & + Tomáš "Mepho" Pružina in bug #381613. Last arch, closing report.
