Kenneth Porter
2018-Sep-15 02:29 UTC
[CentOS] ipset-service save fails when module compiled into kernel
I want to use the ipset-service to store ipsets persistently across boots. (For use by iptables rules. firewalld has direct support for persistent ipsets but I need the more general capability of raw iptables.) I'm using a kernel with ipsets compiled in, rather than loaded as a module. The support script that saves ipsets checks if the module is loaded before saving and finds nothing, so aborts. Why does it need to make this check? Should this package be able to handle a custom kernel with compiled-in modules? (I'm actually running CentOS 7 on a Linode VM with the default Linode kernel. Their kernel has modules compiled in and listed in /proc/config.gz.) For reference, here's the latest Rawhide package containing the ipset.start-stop script that's used to save ipsets persistently. <https://fedora.pkgs.org/rawhide/fedora-x86_64/ipset-service-6.38-1.fc29.noarch.rpm.html>
John R. Dennison
2018-Sep-15 03:05 UTC
[CentOS] ipset-service save fails when module compiled into kernel
On Fri, Sep 14, 2018 at 07:29:26PM -0700, Kenneth Porter wrote:> > (I'm actually running CentOS 7 on a Linode VM with the default Linode > kernel. Their kernel has modules compiled in and listed in /proc/config.gz.)I would strongly encourage you to lose their custom kernel and use a standard CentOS kernel which works fine on Linode and is one we can actually support. John -- Failure is the condiment that gives success its flavor. -- Truman Capote (1924-1984), American writer, Portraits and Observations, The Essays of Truman Capote, "Self Portrait" (1972)
Mark Milhollan
2018-Sep-15 18:30 UTC
[CentOS] ipset-service save fails when module compiled into kernel
On Fri, 14 Sep 2018, Kenneth Porter wrote:> I'm using a kernel with ipsets compiled in, rather than loaded as a module. The > support script that saves ipsets checks if the module is loaded before saving > and finds nothing, so aborts. Why does it need to make this check?Likely the check is there to avoid an abort when the commands are issued but w/o the feature present. So customize the script -- it sounds like you found the one that's at fault. /mark
Kenneth Porter
2018-Sep-15 19:04 UTC
[CentOS] ipset-service save fails when module compiled into kernel
On 9/15/2018 11:30 AM, Mark Milhollan wrote:> Likely the check is there to avoid an abort when the commands are issued > but w/o the feature present. So customize the script -- it sounds like > you found the one that's at fault.Yeah, but the script will get overwritten the next time I yum update that package. Looking more closely at the script, it's just issuing "ipset save" and dumping the output into /etc/sysconfig/ipset, after backing up any previous configuration. So it's easy enough to just do that and ignore the script. Curiously, the start() function in the script doesn't load the ipset module or check that it's loaded. Only the stop() and save() functions check. Seems inconsistent. I'll have to ask the package maintainer why they're doing it that way. Meanwhile I bit the bullet and switched to the stock CentOS 7 kernel by selecting GRUB2 from the Linode boot menu. It took a few reboots to get it right. It had to relabel the filesystem as the Linode kernel lacks SELinux and I had to run the utility to rebuild the GRUB menu. (Linode had already written its required modifications to the GRUB config files.) https://www.linode.com/docs/platform/manager/how-to-change-your-linodes-kernel/
Maybe Matching Threads
- [Bug 773] New: iptables performance limits on # of rules using ipset
- Bug in init scripts for ipset?
- [Bug 640] New: ipset-4.2 : ipset -T <some_setlist> <address> always negative
- [Bug 1726] New: invalid json generated by ipset list -output json
- shorewall 4.4.10 failing to start; won't recognize ipset "capability"