ipset, IP6_NF_IPTABLES

ipset, IP6_NF_IPTABLES

[Denys Fedoryshchenko]

 Hi

 I am using IPv4-only kernel, and getting
 "The kernel build directory /lib/modules/2.6.39-rc7-git4-devel2/build 
 is not configured with IP6_NF_IPTABLES support"
 while compiling latest ipset 6.5 (and previous version 6.4 too)
 Is there any way to compile ipset without IPv6?

Re: ipset, IP6_NF_IPTABLES

[Jozsef Kadlecsik]

On Tue, 17 May 2011, Denys Fedoryshchenko wrote:

> I am using IPv4-only kernel, and getting
> "The kernel build directory /lib/modules/2.6.39-rc7-git4-devel2/build is not
> configured with IP6_NF_IPTABLES support"
> while compiling latest ipset 6.5 (and previous version 6.4 too)
> Is there any way to compile ipset without IPv6?

No, that's not possible. ipset needs the IPv6 support in the kernel.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: ipset, IP6_NF_IPTABLES

[Mr Dash Four]

> No, that's not possible. ipset needs the IPv6 support in the kernel.
>   
That can't be accurate - I have administratively disabled IPv6 on my 
system (both via sysctl as well as via the kernel command line)  - and 
ipset 6.5 runs just fine. I am not using any IPv6 sets though so that 
might be the reason why it is not complaining.

Re: ipset, IP6_NF_IPTABLES

[Denys Fedoryshchenko]

 On Tue, 17 May 2011 12:07:35 +0100, Mr Dash Four wrote:
>> No, that's not possible. ipset needs the IPv6 support in the kernel.
>>   That can't be accurate - I have administratively disabled IPv6 on 
>> my system (both via sysctl as well as via the kernel command line)  - 
>> and ipset 6.5 runs just fine. I am not using any IPv6 sets though so 
>> that might be the reason why it is not complaining.

 Well, i compile ipset on host with ipv6 enabled kernel, and just copied 
 to host without ipv6. It is seems problem only during compilation i 
 guess (headers?), and it is not right IMO.
 Especially it is a problem for source based distributions, like gentoo, 
 because i cannot compile ipset at all on most of my ipv4-only machines.

Re: ipset, IP6_NF_IPTABLES

[Jozsef Kadlecsik]

On Tue, 17 May 2011, Mr Dash Four wrote:

> > No, that's not possible. ipset needs the IPv6 support in the kernel.
> >   
> That can't be accurate - I have administratively disabled IPv6 on my system
> (both via sysctl as well as via the kernel command line)  - and ipset 6.5 runs
> just fine. I am not using any IPv6 sets though so that might be the reason why
> it is not complaining.

You can of course disable IPv6. But the functionality of IPv6 is required.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: ipset, IP6_NF_IPTABLES

[Jozsef Kadlecsik]

On Tue, 17 May 2011, Denys Fedoryshchenko wrote:

> On Tue, 17 May 2011 12:07:35 +0100, Mr Dash Four wrote:
> > > No, that's not possible. ipset needs the IPv6 support in the kernel.
> > >   That can't be accurate - I have administratively disabled IPv6 on my
> > > system (both via sysctl as well as via the kernel command line)  - and
> > > ipset 6.5 runs just fine. I am not using any IPv6 sets though so that
> > > might be the reason why it is not complaining.
> 
> Well, i compile ipset on host with ipv6 enabled kernel, and just copied to
> host without ipv6. It is seems problem only during compilation i guess
> (headers?), and it is not right IMO.
> Especially it is a problem for source based distributions, like gentoo,
> because i cannot compile ipset at all on most of my ipv4-only machines.

The ip_set_core module depends on the ipv6 module (or functionality, if 
compiled into the kernel). The host does not need to have IPv6 address 
assigned or IPv6 enabled at all. But the functionality must be there.

At compile time IPv6 support must be enabled.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: ipset, IP6_NF_IPTABLES

[Ed W]

On 17/05/2011 12:14, Denys Fedoryshchenko wrote:
> Especially it is a problem for source based distributions, like gentoo,


I know there was a debate about this on the gentoo-hardened list
recently, but my opinion is that one needs to start "enabling" (as in
it's installed/compiled in) IPV6 code on all systems ASAP and start
flushing out problems.  That said I think it's also fair to lock
down/disable/minimise your use of the IPV6 to whatever is appropriate to
your environment/requirements, but having the code there, compiled into
production systems and starting to test it would seem to be very prudent
right now?

Just add USE="+ipv6" to your make.conf, "emerge --newuse -uvDkp world"
and off you go...

Good luck

Ed W

Re: ipset, IP6_NF_IPTABLES

[Denys Fedoryshchenko]

 On Tue, 17 May 2011 14:04:20 +0100, Ed W wrote:
> On 17/05/2011 12:14, Denys Fedoryshchenko wrote:
>> Especially it is a problem for source based distributions, like 
>> gentoo,
>
>

>
> Just add USE="+ipv6" to your make.conf, "emerge --newuse -uvDkp 
> world"
> and off you go...
 In my case it is sometimes specific embedded application, and few kbyte 
 matter. IPv6 is no go there.

Re: ipset, IP6_NF_IPTABLES

[Mr Dash Four]

> You can of course disable IPv6. But the functionality of IPv6 is required.
>   
Yep, you're quite right - on the build machine on which I compile and 
build everything (including ipset, of course) I have IPv6 installed (it 
is the full monty as far as netfilter apps are concerned). That 
functionality, however, is disabled on all machines on which ipset is used.

Re: ipset, IP6_NF_IPTABLES

[Jozsef Kadlecsik]

On Tue, 17 May 2011, Jozsef Kadlecsik wrote:

> On Tue, 17 May 2011, Denys Fedoryshchenko wrote:
> 
> > On Tue, 17 May 2011 12:07:35 +0100, Mr Dash Four wrote:
> > > > No, that's not possible. ipset needs the IPv6 support in the kernel.
> > > >   That can't be accurate - I have administratively disabled IPv6 on my
> > > > system (both via sysctl as well as via the kernel command line)  - and
> > > > ipset 6.5 runs just fine. I am not using any IPv6 sets though so that
> > > > might be the reason why it is not complaining.
> > 
> > Well, i compile ipset on host with ipv6 enabled kernel, and just copied to
> > host without ipv6. It is seems problem only during compilation i guess
> > (headers?), and it is not right IMO.
> > Especially it is a problem for source based distributions, like gentoo,
> > because i cannot compile ipset at all on most of my ipv4-only machines.
> 
> The ip_set_core module depends on the ipv6 module (or functionality, if 
> compiled into the kernel). The host does not need to have IPv6 address 
> assigned or IPv6 enabled at all. But the functionality must be there.
> 
> At compile time IPv6 support must be enabled.

Actually, I'm wrong: since 6.0 ipset can be configured and compiled with 
CONFIG_IPV6=n. Sorry, somehow I was blind.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: ipset, IP6_NF_IPTABLES

[Jozsef Kadlecsik]

On Tue, 17 May 2011, Denys Fedoryshchenko wrote:

> I am using IPv4-only kernel, and getting
> "The kernel build directory /lib/modules/2.6.39-rc7-git4-devel2/build is not
> configured with IP6_NF_IPTABLES support"
> while compiling latest ipset 6.5 (and previous version 6.4 too)
> Is there any way to compile ipset without IPv6?

Could you write down exactly what do you do, which results in the message 
above?

I disabled IPv6 in the kernel source tree (not exactly the same one as 
yours) and running "make modules" in the ipset source tree ran without any 
error message.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: ipset, IP6_NF_IPTABLES

[Denys Fedoryshchenko]

 On Tue, 17 May 2011 18:34:34 +0200 (CEST), Jozsef Kadlecsik wrote:
> On Tue, 17 May 2011, Denys Fedoryshchenko wrote:
>
>> I am using IPv4-only kernel, and getting
>> "The kernel build directory 
>> /lib/modules/2.6.39-rc7-git4-devel2/build is not
>> configured with IP6_NF_IPTABLES support"
>> while compiling latest ipset 6.5 (and previous version 6.4 too)
>> Is there any way to compile ipset without IPv6?
>
> Could you write down exactly what do you do, which results in the 
> message
> above?
>
> I disabled IPv6 in the kernel source tree (not exactly the same one 
> as
> yours) and running "make modules" in the ipset source tree ran 
> without any
> error message.
>
 libmnl-1.0.1 installed

 wget http://ipset.netfilter.org/ipset-6.5.tar.bz2
 tar jxf ipset-6.5.tar.bz2
 cd ipset-6.5
 ./autogen.sh
 ./configure
 checking build system type... i686-pc-linux-gnu
 checking host system type... i686-pc-linux-gnu
 checking for a BSD-compatible install... /usr/bin/install -c
 checking whether build environment is sane... yes
 checking for a thread-safe mkdir -p... /bin/mkdir -p
 checking for gawk... gawk
 checking whether make sets $(MAKE)... yes
 checking for grep that handles long lines and -e... /bin/grep
 configure: error: The kernel build directory 
 /lib/modules/2.6.39-rc7-git4-devel2/build is not configured with 
 IP6_NF_IPTABLES support (ip6tables)

 P.S. By the way, I don't need modules, i am using latest kernel where 
 ipset is embedded in kernel.

Re: ipset, IP6_NF_IPTABLES

[Jozsef Kadlecsik]

On Tue, 17 May 2011, Denys Fedoryshchenko wrote:

> On Tue, 17 May 2011 18:34:34 +0200 (CEST), Jozsef Kadlecsik wrote:
> > On Tue, 17 May 2011, Denys Fedoryshchenko wrote:
> > 
> > > I am using IPv4-only kernel, and getting
> > > "The kernel build directory /lib/modules/2.6.39-rc7-git4-devel2/build is
> > > not
> > > configured with IP6_NF_IPTABLES support"
> > > while compiling latest ipset 6.5 (and previous version 6.4 too)
> > > Is there any way to compile ipset without IPv6?
> > 
> > Could you write down exactly what do you do, which results in the message
> > above?
> > 
> > I disabled IPv6 in the kernel source tree (not exactly the same one as
> > yours) and running "make modules" in the ipset source tree ran without any
> > error message.
> > 
> libmnl-1.0.1 installed
> 
> wget http://ipset.netfilter.org/ipset-6.5.tar.bz2
> tar jxf ipset-6.5.tar.bz2
> cd ipset-6.5
> ./autogen.sh
> ./configure
> checking build system type... i686-pc-linux-gnu
> checking host system type... i686-pc-linux-gnu
> checking for a BSD-compatible install... /usr/bin/install -c
> checking whether build environment is sane... yes
> checking for a thread-safe mkdir -p... /bin/mkdir -p
> checking for gawk... gawk
> checking whether make sets $(MAKE)... yes
> checking for grep that handles long lines and -e... /bin/grep
> configure: error: The kernel build directory
> /lib/modules/2.6.39-rc7-git4-devel2/build is not configured with
> IP6_NF_IPTABLES support (ip6tables)

Ahh, thanks. That's an outdated checking in configure, I remove it.

Best regards,
Jozsef
-
E-mail  : kadlec@blackhole.kfki.hu, kadlec@mail.kfki.hu
PGP key : http://www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear Physics
          H-1525 Budapest 114, POB. 49, Hungary

Re: ipset, IP6_NF_IPTABLES

[Mr Dash Four]

> Ahh, thanks. That's an outdated checking in configure, I remove it.
>   
Funny enough I looked at the same thing 5 minutes ago as I included 
these checks (grumble) as part of ipset 4.5 configure.ac macros. :-[

Re: ipset, IP6_NF_IPTABLES

[Mr Dash Four]

> Funny enough I looked at the same thing 5 minutes ago as I included 
> these checks (grumble) as part of ipset 4.5 configure.ac macros. :-[
Hm, I have just made an interesting observation: when I build SMP 
(x86_64-based) kernel I can compile the ipset kernel modules as part of 
the kernel itself (i.e. ...=y), but when I try this on UP machine I 
can't do that for some reason - I can only select to disable or ...=m? 
Am I missing something?