CentOS - Sep 2018 - ipset-service save fails when module compiled into kernel

I want to use the ipset-service to store ipsets persistently across boots. 
(For use by iptables rules. firewalld has direct support for persistent 
ipsets but I need the more general capability of raw iptables.)

I'm using a kernel with ipsets compiled in, rather than loaded as a module. 
The support script that saves ipsets checks if the module is loaded before 
saving and finds nothing, so aborts. Why does it need to make this check?

Should this package be able to handle a custom kernel with compiled-in 
modules?

(I'm actually running CentOS 7 on a Linode VM with the default Linode 
kernel. Their kernel has modules compiled in and listed in /proc/config.gz.)

For reference, here's the latest Rawhide package containing the 
ipset.start-stop script that's used to save ipsets persistently.

<https://fedora.pkgs.org/rawhide/fedora-x86_64/ipset-service-6.38-1.fc29.noarch.rpm.html>

On Fri, Sep 14, 2018 at 07:29:26PM -0700, Kenneth Porter
wrote:
> 
> (I'm actually running CentOS 7 on a Linode VM with the default Linode
> kernel. Their kernel has modules compiled in and listed in
/proc/config.gz.)
I would strongly encourage you to lose their custom kernel and use a
standard CentOS kernel which works fine on Linode and is one we can
actually support.





							John
-- 
Failure is the condiment that gives success its flavor.

-- Truman Capote (1924-1984), American writer, Portraits and Observations,
   The Essays of Truman Capote, "Self Portrait" (1972)

On Fri, 14 Sep 2018, Kenneth Porter wrote:
> I'm using a kernel with ipsets compiled in, rather than loaded as a
module. The
> support script that saves ipsets checks if the module is loaded before
saving
> and finds nothing, so aborts. Why does it need to make this check?
Likely the check is there to avoid an abort when the commands are issued 
but w/o the feature present.  So customize the script -- it sounds like 
you found the one that's at fault.


/mark

On 9/15/2018 11:30 AM, Mark Milhollan wrote:
> Likely the check is there to avoid an abort when the commands are issued
> but w/o the feature present.  So customize the script -- it sounds like
> you found the one that's at fault.
Yeah, but the script will get overwritten the next time I yum update 
that package.

Looking more closely at the script, it's just issuing "ipset save"
and
dumping the output into /etc/sysconfig/ipset, after backing up any 
previous configuration. So it's easy enough to just do that and ignore 
the script. Curiously, the start() function in the script doesn't load 
the ipset module or check that it's loaded. Only the stop() and save() 
functions check. Seems inconsistent. I'll have to ask the package 
maintainer why they're doing it that way.

Meanwhile I bit the bullet and switched to the stock CentOS 7 kernel by 
selecting GRUB2 from the Linode boot menu. It took a few reboots to get 
it right. It had to relabel the filesystem as the Linode kernel lacks 
SELinux and I had to run the utility to rebuild the GRUB menu. (Linode 
had already written its required modifications to the GRUB config files.)

https://www.linode.com/docs/platform/manager/how-to-change-your-linodes-kernel/