On 04/01/11 05:14, Jan Engelhardt wrote: > 'ãã > > So a few people had been asking on whether ipset 5.x will be bundled > along with Xtables-addons. Naturally this is a difficult question > because ipset-5 wants a kernel patch. But yes, it is included as of Xt-a > 1.32 (just out). > > It has been augmented to not require the patch anymore, by moving it > over from nfnetlink (booo) to genetlink which does not depend on static > numbers, though you will need at least Linux 2.6.35 for this GENL > variant in both compilation and at runtime. Not depending of static numbers is a good thing to me because it makes the whole user-space simpler since: a) you don't have to send a message to perform the initial family ID lookup and b) you don't have to subscribe to genl control events (which is required since the the floating family number may change if the module is unloaded). > (As such, ipset-5 is deactivated by default in Xt-a 1.32 and needs to be > turned on in mconfig.) > > Xt-a files at the usual place. > > The plain genl patch to ipset-5 can be found as a commit at > git://dev.medozas.de/ipset in the "genl" branch. It has received a run > through the testsuite (as far as it went until ospf), and I take that as > an indication that proxying the protocol onto genl was successful. This is going to confuse everyone. Since ipset-5 will be submitted into mainline soon, some distributors may start packaging the user-space genl binaries. Then, once we have it into the kernel, the distributed version will not work with the one running upon nfnetlink. I think it's way easier to submit a patch to reserve the subsystem ID for ipset than adding this genl compatibility layer. BTW, Jozsef, do you plan to submit ipset for the next linux kernel release cycle? -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
