<div dir="ltr">Unfortunately, I can't get the ipset 6.x userspace tools to compile on el5. I was hoping with the experience the elrepo team has, that they might be able to compile a version (or maybe point me in the right direction on the tools/packages needed). <br>
<div><div class="gmail_extra"><br></div><div class="gmail_extra">ipset 4.5 works good for the most part. Definitely better than doing the same in iptables. But I've experienced instances when the system is under load and a ipset -R (restore) is initiated that it will skip some ranges. Hard to detect that it missed them until I see those networks that should be blocked getting through. Unfortunately, I have 100's of systems out there that I don't have direct (or even SSH) access to, so migrating them to el6 will prove extremely difficult. I can't find any examples anywhere of someone doing an in-place upgrade of el5 to el6.<br>
<br></div><div class="gmail_extra"><br><div class="gmail_quote">On Tue, Apr 8, 2014 at 8:29 PM, Trevor Hemsley <span dir="ltr"><<a href="mailto:themsley@voiceflex.com" target="_blank">themsley@voiceflex.com</a>></span> wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>The kernel-{lt,ml} packages do not have
a stable kernel ABI so any module built for it would need to be
rebuilt for each kernel. Maybe the ipset options could be turned
on in the kernel-lt config so you'd just need userspace tools.<br>
<br>
I've been running ipset 4.5 on all our el5 servers at $dayjob
since the tail end of 2011. Our servers handle more than 1TB of
data a day and I have seen no problems with the performance of
ipset - it's way better than iptables. Personally I'd say if you
need ipset 6.x for performance reasons then you should be moving
to el6 (or el7 soon!).<br>
<br>
On 08/04/14 19:39, Daniel T. Gynn wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">Understood on the kernel version. I was thinking
it could go along with the elrepo kernel-lt kernel, which is at
3.2 and satisfies the kernel version requirement.<br>
<div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">
On Tue, Apr 8, 2014 at 2:29 PM, Trevor Hemsley wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0 .8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000">
<div>Unlikely. <br>
<br>
<a href="http://ipset.netfilter.org/install.html" target="_blank">http://ipset.netfilter.org/install.html</a>
says:<br>
<br>
For the new branch
<ul>
<li>linux kernel source code (version >=
2.6.32) </li>
<li>source of ipset: <a href="http://ipset.netfilter.org/ipset-6.21.1.tar.bz2" target="_blank"> ipset-6.21.1.tar.bz2</a> (<a href="http://ipset.netfilter.org/ipset-6.21.1.tar.bz2.md5sum.txt" target="_blank">md5sum</a>) </li>
</ul>
And el5 has kernel 2.6.18 so needs to use the older
4.5 code.<br>
<br>
On 08/04/14 07:52, Daniel T. Gynn wrote:<br>
</div>
<blockquote type="cite">
<div dir="ltr">
<div><br clear="all">
</div>
Any chance of getting an ipset 6.x package built
for CentOS 5? There are substantial improvements
over the 4.5 version included with CentOS 5. I
tested the exact same load on duplicate hardware
and found it 10 to 20 times faster with similar
memory usage reduction in CentOS 6 over CentOS 5.<br>
</div>
<br clear="all"></blockquote></div></blockquote></div></div></div></div></blockquote></div></blockquote></div><br>
</div></div></div>