Re: Xtables-addons 1.32/ipset-GENL 5.2

[Pablo Neira Ayuso <pablo@netfilter.org>]

On 06/01/11 10:46, Jozsef Kadlecsik wrote:
> On Thu, 6 Jan 2011, Pablo Neira Ayuso wrote:
> 
>> On 04/01/11 05:14, Jan Engelhardt wrote:
>>> So a few people had been asking on whether ipset 5.x will be bundled 
>>> along with Xtables-addons. Naturally this is a difficult question 
>>> because ipset-5 wants a kernel patch. But yes, it is included as of Xt-a 
>>> 1.32 (just out).
>>>
>>> It has been augmented to not require the patch anymore, by moving it 
>>> over from nfnetlink (booo) to genetlink which does not depend on static 
>>> numbers, though you will need at least Linux 2.6.35 for this GENL 
>>> variant in both compilation and at runtime.
>>
>> Not depending of static numbers is a good thing to me because it makes
>> the whole user-space simpler since: a) you don't have to send a message
>> to perform the initial family ID lookup and b) you don't have to
>> subscribe to genl control events (which is required since the the
>> floating family number may change if the module is unloaded).
> 
> You mean "Depending on static numbers...", don't you?

yes, sorry for the confusion.

>>> (As such, ipset-5 is deactivated by default in Xt-a 1.32 and needs to be 
>>> turned on in mconfig.)
>>>
>>> Xt-a files at the usual place.
>>>
>>> The plain genl patch to ipset-5 can be found as a commit at 
>>> git://dev.medozas.de/ipset in the "genl" branch. It has received a run 
>>> through the testsuite (as far as it went until ospf), and I take that as 
>>> an indication that proxying the protocol onto genl was successful.
>>
>> This is going to confuse everyone. Since ipset-5 will be submitted into
>> mainline soon, some distributors may start packaging the user-space genl
>> binaries. Then, once we have it into the kernel, the distributed version
>> will not work with the one running upon nfnetlink.
> 
> Yes, that worries me too.
> 
>> I think it's way easier to submit a patch to reserve the subsystem ID
>> for ipset than adding this genl compatibility layer.
> 
> That was rejected some time ago. :-)

Indeed, I forgot that.

>> BTW, Jozsef, do you plan to submit ipset for the next linux kernel
>> release cycle?
> 
> Yes: ipset-5 depends on the jhash.h patch so as soon as it's in Patrick's 
> tree, I can submit the patches.

great.