There is an ipset type called "setlist" which allows one to create an ipset that is a group of other ipsets. It's useful because it allows one to check, using a single ipset command (or more importantly, a single IPTables rule) whether an address is in any of multiple ipsets. It seems that there is a kernel module for each ipset type (e.g. nethash, ipmap, etc., each correspond to a module), but there does not appear to be a module corresponding to setlist: ------------------------------------------------------------------- # ls -w32 /lib/modules/2.6.28-hardened-r9/kernel/net/ipv4/netfilter ip_set_iphash.ko ip_set_ipmap.ko ip_set_ipporthash.ko ip_set_iptree.ko ip_set_iptreemap.ko ip_set.ko ip_set_macipmap.ko ip_set_nethash.ko ip_set_portmap.ko ipt_set.ko ipt_SET.ko ----------------------------------------------------------------- I would expect to see 'ip_set_setlist.ko', but it's not there. Also, the ebuild appears to provide for such a module, albeit in a haphazard manner: # module fun BUILD_TARGETS="all" MODULE_NAMES_ARG="kernel/net/ipv4/netfilter:${S}/kernel" MODULE_NAMES="" for i in ip_set{,_{setlist,{ip,port,macip}map,{ip,net,ipport,ipportip,ipportnet}hash,iptree{,map}}} \ ipt_{SET,set}; do MODULE_NAMES="${MODULE_NAMES} ${i}(${MODULE_NAMES_ARG})" done (I note that "setlist" appears to be indicated.) Reproducible: Always Steps to Reproduce: Actual Results: As a result of the lack of a setlist module, it is not possible to create ipsets of type "setlist": # ipset -N blacklist setlist ipset v2.4.7: Unknown set type Expected Results: A setlist module should be built, and it should be possible to create ipsets of type "setlist". # emerge --info Portage 2.1.7.17 (hardened/linux/x86, gcc-4.3.4, glibc-2.10.1-r1, 2.6.28-hardened-r9 i686) ================================================================= System uname: Linux-2.6.28-hardened-r9-i686-Pentium_III_-Coppermine-with-gentoo-1.12.13 Timestamp of tree: Tue, 02 Mar 2010 09:15:01 +0000 ccache version 2.4 [enabled] app-shells/bash: 4.0_p35 dev-lang/python: 2.6.4-r1 dev-util/ccache: 2.4-r7 sys-apps/baselayout: 1.12.13 sys-apps/sandbox: 1.6-r2 sys-devel/autoconf: 2.63-r1 sys-devel/automake: 1.10.3, 1.11.1 sys-devel/binutils: 2.18-r3 sys-devel/gcc: 4.3.4 sys-devel/gcc-config: 1.4.1 sys-devel/libtool: 2.2.6b virtual/os-headers: 2.6.30-r1 ACCEPT_KEYWORDS="x86" ACCEPT_LICENSE="* -@EULA" CBUILD="i686-pc-linux-gnu" CFLAGS="-O2 -march=pentium3 -pipe -fomit-frame-pointer" CHOST="i686-pc-linux-gnu" CONFIG_PROTECT="/etc" CONFIG_PROTECT_MASK="/etc/ca-certificates.conf /etc/env.d /etc/gconf /etc/revdep-rebuild /etc/sandbox.d /etc/terminfo" CXXFLAGS="-O2 -march=pentium3 -pipe -fomit-frame-pointer" DISTDIR="/usr/portage/distfiles" FEATURES="assume-digests ccache distlocks fixpackages news parallel-fetch protect-owned sandbox sfperms strict unmerge-logs unmerge-orphans userfetch" GENTOO_MIRRORS="http://gentoo.osuosl.org/ ftp://ftp.gtlib.gatech.edu/pub/gentoo http://open-systems.ufl.edu/mirrors/gentoo" LANG="en_US.UTF-8" LC_ALL="en_US.UTF-8" LDFLAGS="-Wl,-O1,--hash-style=gnu" LINGUAS="en_US en" MAKEOPTS="-j2" PKGDIR="/usr/portage/packages" PORTAGE_CONFIGROOT="/" PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages" PORTAGE_TMPDIR="/var/tmp" PORTDIR="/usr/portage" SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage" USE="acpi berkdb bzip2 caps cli cracklib crypt cxx dri gpm hardened iconv mmx modules mudflap ncurses nls nptl nptlonly openmp pam pcre perl pic python readline reflection samba session spl sse ssl sysfs unicode urandom userlocales x86 xorg zlib" ALSA_CARDS="intel8x0" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mmap_emul mulaw multi null plug rate route share shm softvol" APACHE2_MODULES="actions alias auth_basic authn_alias authn_anon authn_dbm authn_default authn_file authz_dbm authz_default authz_groupfile authz_host authz_owner authz_user autoindex cache dav dav_fs dav_lock deflate dir disk_cache env expires ext_filter file_cache filter headers include info log_config logio mem_cache mime mime_magic negotiation rewrite setenvif speling status unique_id userdir usertrack vhost_alias" ELIBC="glibc" INPUT_DEVICES="keyboard mouse" KERNEL="linux" LINGUAS="en_US en" RUBY_TARGETS="ruby18" USERLAND="GNU" VIDEO_CARDS="i810" Unset: CPPFLAGS, CTARGET, EMERGE_DEFAULT_OPTS, FFLAGS, INSTALL_MASK, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Maybe this is not a bug? I see that the setlist object (.so) is being built. Maybe there is not supposed to be a kernel module corresponding to "setlist"? >>> Install ipset-2.4.7 into /var/tmp/portage/net-firewall/ipset-2.4.7/image/ category net-firewall * Installing userspace make -j2 DESTDIR=/var/tmp/portage/net-firewall/ipset-2.4.7/image/ PREFIX= LIBDIR=/lib BINDIR=/sbin MANDIR=/usr/share/man INCDIR=/usr/include binaries_install cp ipset /var/tmp/portage/net-firewall/ipset-2.4.7/image//sbin/ipset cp ipset.8 /var/tmp/portage/net-firewall/ipset-2.4.7/image//usr/share/man/man8/ipset.8 cp libipset_ipmap.so /var/tmp/portage/net-firewall/ipset-2.4.7/image//lib/ipset/libipset_ipmap.so cp libipset_portmap.so /var/tmp/portage/net-firewall/ipset-2.4.7/image//lib/ipset/libipset_portmap.so cp libipset_macipmap.so /var/tmp/portage/net-firewall/ipset-2.4.7/image//lib/ipset/libipset_macipmap.so cp libipset_iptree.so /var/tmp/portage/net-firewall/ipset-2.4.7/image//lib/ipset/libipset_iptree.so cp libipset_iptreemap.so /var/tmp/portage/net-firewall/ipset-2.4.7/image//lib/ipset/libipset_iptreemap.so cp libipset_iphash.so /var/tmp/portage/net-firewall/ipset-2.4.7/image//lib/ipset/libipset_iphash.so cp libipset_nethash.so /var/tmp/portage/net-firewall/ipset-2.4.7/image//lib/ipset/libipset_nethash.so cp libipset_ipporthash.so /var/tmp/portage/net-firewall/ipset-2.4.7/image//lib/ipset/libipset_ipporthash.so cp libipset_ipportiphash.so /var/tmp/portage/net-firewall/ipset-2.4.7/image//lib/ipset/libipset_ipportiphash.so cp libipset_ipportnethash.so /var/tmp/portage/net-firewall/ipset-2.4.7/image//lib/ipset/libipset_ipportnethash.so cp libipset_setlist.so /var/tmp/portage/net-firewall/ipset-2.4.7/image//lib/ipset/libipset_setlist.so * Installing kernel modules * Installing ip_set module * Installing ip_set_ipmap module * Installing ip_set_portmap module * Installing ip_set_macipmap module * Installing ip_set_iphash module * Installing ip_set_nethash module * Installing ip_set_ipporthash module * Installing ip_set_iptree module * Installing ip_set_iptreemap module * Installing ipt_SET module * Installing ipt_set module >>> Completed installing ipset-2.4.7 into /var/tmp/portage/net-firewall/ipset-2.4.7/image/
Never mind. I figured out by looking at the ebuilds that "setlist" doesn't get built (for some reason) in our 2.4.7 ebuild, and that I can get it by using one of later ebuilds. I am using this on a "stable" box, and I accepted 2.4.7 with keyword "~x86" because I was hoping it would go stable (which it did). But I will just work around this by using a more recent version. Looking at the source, though, it appears that "setlist" is in fact a feature of the earlier version (2.4.7), so unless there were problems with it, perhaps it should be enabled in the 2.4.7 ebuild. I'll leave it up to the maintainer to dispose of this as "won't fix" or otherwise. Thanks.
Seems best to leave the older 2.4.7 alone, since it is already stable and this is more a feature request than a problem (since you can just use a newer version). However, maybe you'd like to file a stabilization bug for a 4.x version that includes setlist, after you've had a chance to give it some good testing.
Yes, I agree. Thanks.
