[elrepo] ipset

Daniel T. Gynn dan at gynntech.com
Tue Apr 8 21:32:33 EDT 2014 

Unfortunately, I can't get the ipset 6.x userspace tools to compile on
el5.  I was hoping with the experience the elrepo team has, that they might
be able to compile a version (or maybe point me in the right direction on
the tools/packages needed).

ipset 4.5 works good for the most part.  Definitely better than doing the
same in iptables.  But I've experienced instances when the system is under
load and a ipset -R (restore) is initiated that it will skip some ranges.
Hard to detect that it missed them until I see those networks that should
be blocked getting through.  Unfortunately, I have 100's of systems out
there that I don't have direct (or even SSH) access to, so migrating them
to el6 will prove extremely difficult.  I can't find any examples anywhere
of someone doing an in-place upgrade of el5 to el6.


On Tue, Apr 8, 2014 at 8:29 PM, Trevor Hemsley <themsley at voiceflex.com>wrote:

>  The kernel-{lt,ml} packages do not have a stable kernel ABI so any
> module built for it would need to be rebuilt for each kernel. Maybe the
> ipset options could be turned on in the kernel-lt config so you'd just need
> userspace tools.
>
> I've been running ipset 4.5 on all our el5 servers at $dayjob since the
> tail end of 2011. Our servers handle more than 1TB of data a day and I have
> seen no problems with the performance of ipset - it's way better than
> iptables. Personally I'd say if you need ipset 6.x for performance reasons
> then you should be moving to el6 (or el7 soon!).
>
> On 08/04/14 19:39, Daniel T. Gynn wrote:
>
> Understood on the kernel version.  I was thinking it could go along with
> the elrepo kernel-lt kernel, which is at 3.2 and satisfies the kernel
> version requirement.
>
>
>  On Tue, Apr 8, 2014 at 2:29 PM, Trevor Hemsley wrote:
>
>>  Unlikely.
>>
>> http://ipset.netfilter.org/install.html says:
>>
>> For the new branch
>>
>>    - linux kernel source code (version >= 2.6.32)
>>    - source of ipset: ipset-6.21.1.tar.bz2<http://ipset.netfilter.org/ipset-6.21.1.tar.bz2>(
>>    md5sum <http://ipset.netfilter.org/ipset-6.21.1.tar.bz2.md5sum.txt>)
>>
>> And el5 has kernel 2.6.18 so needs to use the older 4.5 code.
>>
>> On 08/04/14 07:52, Daniel T. Gynn wrote:
>>
>>
>>  Any chance of getting an ipset 6.x package built for CentOS 5?  There
>> are substantial improvements over the 4.5 version included with CentOS 5.
>> I tested the exact same load on duplicate hardware and found it 10 to 20
>> times faster with similar memory usage reduction in CentOS 6 over CentOS 5.
>>
>>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.elrepo.org/pipermail/elrepo/attachments/20140408/b47834dc/attachment-0001.html>

More information about the elrepo mailing list