> I am trying to add ipset to an old system (kernel 2.6.16) > So I downloaded the old ipset and built it in a separate directory. > There was a little changes necessary, indicating that the distro had some stuff > backported into the kernel, but eventually it succeeded. I can create ipset, > add addresses to it and list them. > > Now, when I try to add iptables rule, I get error about missing libipt_set.so > I have tried to recompile iptables on the machine (version 1.3.5 like the installed one), > but that does not build the missing file. > It seems that include/linux in iptables does not contain files from include/linux in ipset. > Would it make sense to just copy over these files? Are there any other changes necessary? > I had *exactly* the same problem over a year ago - trying to build ipset 4.4 (the newest version in those days) on an old kernel (2.6.16.60, if memory serves). If you look at the archives of this mailing list for a thread called "ipset-4.4 on 2.6.16.60 kernel" from 06/07 Nov 2010 you will find all the answers you need. From what I remember I had to fix both the ipset source code (the instructions for building and incorporating ipset 4.x into the older kernel versions as shown on ipset.netfilter.org are *incomplete*) by applying a patch to the ipset source. I had to rebuild iptables - also from source. ... I've just looked at my past activities and found instructions how to incorporate ipset 4.4 into the 2.6.16.60 kernel - incorporating ipset 4.5 with your version of the kernel and iptables would, I guess, be very similar. I enclose a patch which I applied at the time to the kernel source and a set of instructions I followed, which got me out and allowed me to rebuild iptables and ipset. The crucial part is to modify slightly the kernel source, rebuild iptables, patch ipset and then rebuild it against both the (modified) kernel source tree and the newly compiled-and-installed iptables. This is what I did at the time: ======================= I. Prerequisites: 1. kernel & iptables sources 2. ipset source - I initially did this with v4.4, but 4.5 is also fine and the process of applying the patch/building the kernel and iptables is identical. II. Installation instructions: 1. Source code preparations: I am assuming that the kernel source tree is at /usr/src/kernel/ and ipset-4.4.tar.bz2 is downloaded in /root and the attached ipset-4.4.patch is also in /root. In this case do the following (as root!): cd /root tar -jxf ipset-4.4.tar.bz2 cp ~/ipset-4.4/kernel/include/linux/netfilter_ipv4/ip_set.h /usr/src/kernel/linux/include/linux/netfilter_ipv4 cp ~/ipset-4.4/kernel/include/linux/netfilter_ipv4/ipt_set.h /usr/src/kernel/linux/include/linux/netfilter_ipv4 Build and install iptables in the usual way pointing out the source kernel tree as above (/usr/src/kernel/). At the end of the process, check that you have (at least) two new files installed: /usr/lib/iptables/libipt_SET.so and /usr/lib/iptables/libipt_set.so! 2. Building and installing ipset 4.4 (for 4.5 this is almost identical - the attached patch only needs to be tweaked slightly, if at all!) Before you start doing anything you need to alter the source so that it can be compiled without any errors. Fortunately I enclosed a patch which makes the job a bit easier. To apply the patch do the following (as root): patch -p1 --dry-run < ipset-4.4.patch If there are no 'hunk' or other errors/warnings you can do the following: patch -p1 < ipset-4.4.patch The ipset source should now be ready. Do the following: KERNEL_DIR=/usr/src/kernel/linux make KERNEL_DIR=/usr/src/kernel/linux make install During the execution of the first command there should be one or two warnings, but no errors. The output of the second command which actually installs ipset for good should look similar to this: cp ipset /usr/sbin/ipset cp ipset.8 /usr/man/man8/ipset.8 cp libipset_ipmap.so /usr/lib/ipset/libipset_ipmap.so cp libipset_portmap.so /usr/lib/ipset/libipset_portmap.so cp libipset_macipmap.so /usr/lib/ipset/libipset_macipmap.so cp libipset_iptree.so /usr/lib/ipset/libipset_iptree.so cp libipset_iptreemap.so /usr/lib/ipset/libipset_iptreemap.so cp libipset_iphash.so /usr/lib/ipset/libipset_iphash.so cp libipset_nethash.so /usr/lib/ipset/libipset_nethash.so cp libipset_ipporthash.so /usr/lib/ipset/libipset_ipporthash.so cp libipset_ipportiphash.so /usr/lib/ipset/libipset_ipportiphash.so cp libipset_ipportnethash.so /usr/lib/ipset/libipset_ipportnethash.so cp libipset_setlist.so /usr/lib/ipset/libipset_setlist.so cd kernel; make -C /usr/src/kernel/linux M=`pwd` V=0 IP_NF_SET_MAX=256 IP_NF_SET_HASHSIZE=1024 modules make[1]: Entering directory `/usr/src/kernel/linux-2.6.16.60' Building modules, stage 2. MODPOST make[1]: Leaving directory `/usr/src/kernel/linux-2.6.16.60' cd kernel; make -C /usr/src/kernel/linux M=`pwd` modules_install make[1]: Entering directory `/usr/src/kernel/linux-2.6.16.60' INSTALL /root/ipset-4.4/kernel/ip_set.ko INSTALL /root/ipset-4.4/kernel/ip_set_iphash.ko INSTALL /root/ipset-4.4/kernel/ip_set_ipmap.ko INSTALL /root/ipset-4.4/kernel/ip_set_ipporthash.ko INSTALL /root/ipset-4.4/kernel/ip_set_ipportiphash.ko INSTALL /root/ipset-4.4/kernel/ip_set_ipportnethash.ko INSTALL /root/ipset-4.4/kernel/ip_set_iptree.ko INSTALL /root/ipset-4.4/kernel/ip_set_iptreemap.ko INSTALL /root/ipset-4.4/kernel/ip_set_macipmap.ko INSTALL /root/ipset-4.4/kernel/ip_set_nethash.ko INSTALL /root/ipset-4.4/kernel/ip_set_portmap.ko INSTALL /root/ipset-4.4/kernel/ip_set_setlist.ko INSTALL /root/ipset-4.4/kernel/ipt_SET.ko INSTALL /root/ipset-4.4/kernel/ipt_set.ko make[1]: Leaving directory `/usr/src/kernel/linux-2.6.16.60' The new kernel modules, for some reason, are copied in /lib/modules/2.6.16.60/extra/, so I do not know why are they not loaded automatically when the kernel starts and I had to do a modprobe on the whole lot in that 'extra' directory to force these modules to be loaded to make it working. I also did two other things, which I am not sure whether it helped, but better safe than sorry as they say: I included /usr/lib/ipset/ in /etc/ld.so.conf as well as executed: ldconfig /usr/lib/ipset/ to force the loading of all libraries in that directory. And with that the whole installation process is now complete. ======================= As I pointed out above, the process should be very similar, if not identical, for building your version of the kernel/iptables. The attached ipset-4.4.patch file needs to be tweaked only slightly for version 4.5 (at least to change "ipset-4.4" to "ipset-4.5") and be applied before building ipset. Hope this helps!