ipset and kernel 2.6.22

hi list,

just wanted to ask if i'm the only one who is unable to
compile
an ipset-patched kernel 2.6.22...
(any of the devs around? - can't find any contact address at
the
ipset website)

  CC [M]  net/ipv4/netfilter/ipt_SET.o
net/ipv4/netfilter/ipt_SET.c:25:46: error:
linux/netfilter_ipv4/ip_nat_rule.h: No such file or
directory
net/ipv4/netfilter/ipt_SET.c:40: warning: 'struct xt_target'
declared inside parameter list
net/ipv4/netfilter/ipt_SET.c:40: warning: its scope is only
this definition or declaration, which is probably not what
you want
net/ipv4/netfilter/ipt_SET.c: In function 'target':
net/ipv4/netfilter/ipt_SET.c:54: error: 'IPT_CONTINUE'
undeclared (first use in this function)
net/ipv4/netfilter/ipt_SET.c:54: error: (Each undeclared
identifier is reported only once
net/ipv4/netfilter/ipt_SET.c:54: error: for each function it
appears in.)
net/ipv4/netfilter/ipt_SET.c: At top level:
net/ipv4/netfilter/ipt_SET.c:71: warning: 'struct xt_target'
declared inside parameter list
net/ipv4/netfilter/ipt_SET.c:117: warning: 'struct
xt_target' declared inside parameter list
net/ipv4/netfilter/ipt_SET.c:134: error: variable
'SET_target' has initializer but incomplete type
net/ipv4/netfilter/ipt_SET.c:135: error: unknown field
'name' specified in initializer
net/ipv4/netfilter/ipt_SET.c:135: warning: excess elements
in struct initializer
net/ipv4/netfilter/ipt_SET.c:135: warning: (near
initialization for 'SET_target')
net/ipv4/netfilter/ipt_SET.c:137: error: unknown field
'family' specified in initializer
net/ipv4/netfilter/ipt_SET.c:137: warning: excess elements
in struct initializer
net/ipv4/netfilter/ipt_SET.c:137: warning: (near
initialization for 'SET_target')
net/ipv4/netfilter/ipt_SET.c:139: error: unknown field
'target' specified in initializer
net/ipv4/netfilter/ipt_SET.c:139: warning: excess elements
in struct initializer
net/ipv4/netfilter/ipt_SET.c:139: warning: (near
initialization for 'SET_target')
net/ipv4/netfilter/ipt_SET.c:141: error: unknown field
'targetsize' specified in initializer
net/ipv4/netfilter/ipt_SET.c:141: warning: excess elements
in struct initializer
net/ipv4/netfilter/ipt_SET.c:141: warning: (near
initialization for 'SET_target')
net/ipv4/netfilter/ipt_SET.c:143: error: unknown field
'checkentry' specified in initializer
net/ipv4/netfilter/ipt_SET.c:143: warning: excess elements
in struct initializer
net/ipv4/netfilter/ipt_SET.c:143: warning: (near
initialization for 'SET_target')
net/ipv4/netfilter/ipt_SET.c:144: error: unknown field
'destroy' specified in initializer
net/ipv4/netfilter/ipt_SET.c:144: warning: excess elements
in struct initializer
net/ipv4/netfilter/ipt_SET.c:144: warning: (near
initialization for 'SET_target')
net/ipv4/netfilter/ipt_SET.c:145: error: unknown field 'me'
specified in initializer
net/ipv4/netfilter/ipt_SET.c:146: warning: excess elements
in struct initializer
net/ipv4/netfilter/ipt_SET.c:146: warning: (near
initialization for 'SET_target')
net/ipv4/netfilter/ipt_SET.c: In function 'ipt_SET_init':
net/ipv4/netfilter/ipt_SET.c:159: warning: implicit
declaration of function 'xt_register_target'
net/ipv4/netfilter/ipt_SET.c: In function 'ipt_SET_fini':
net/ipv4/netfilter/ipt_SET.c:164: warning: implicit
declaration of function 'xt_unregister_target'
make[3]: *** [net/ipv4/netfilter/ipt_SET.o] Error 1
make[2]: *** [net/ipv4/netfilter] Error 2
make[1]: *** [net/ipv4] Error 2
make: *** [net] Error 2


anyone?


tia,

=;p/ud aka nerdpunk

-- 
gpg-key #C3B04767

> hi list,
>
> just wanted to ask if i'm the only one who is unable to
compile
> an ipset-patched kernel 2.6.22...
> (any of the devs around? - can't find any contact
address at the
> ipset website)

Use patch 130-netfilter-ipset.patch
 from this page  
https://dev.openwrt.org/browser/tr
unk/target/linux/generic-2.6/patches-2.6.22/

In my opninion ipset iptree still does not work as it should
be.
My test:

[]# ipset -N viruses iptree --timeout 100
[]# ipset -A viruses 172.16.14.12

Test1:
[]# ipset -T viruses 172.16.14.12
172.16.14.12 is in set viruses
Test2:
[]# ipset -T viruses 172.16.14.111
172.16.14.111 is in set viruses
Test3:
[]# ipset -T viruses 172.16.140.111
172.16.140.111 is NOT in set viruses

...

Test2 172.16.14.111 shoud NOT be in set viruses, every IP
from example  
subnet 172.16.14.0/24
is reported as "in set", (look at test2).

Everything is ok after IPTRE_GC_TIME 5*60  (line 33 in
ip_set_iptree.c)
When I changed this label to 60 this module iptree worked ok
after 60s.

To test again you have to unload ipset module. Something is
wrong few  
minutes
after module is loaded...

I do not know if any other ipset module has bugs.



>   CC [M]  net/ipv4/netfilter/ipt_SET.o
> net/ipv4/netfilter/ipt_SET.c:25:46: error:  
> linux/netfilter_ipv4/ip_nat_rule.h: No such file or
directory
> net/ipv4/netfilter/ipt_SET.c:40: warning: 'struct
xt_target' declared  
> inside parameter list
> net/ipv4/netfilter/ipt_SET.c:40: warning: its scope is
only this  
> definition or declaration, which is probably not what
you want
> net/ipv4/netfilter/ipt_SET.c: In function 'target':
> net/ipv4/netfilter/ipt_SET.c:54: error: 'IPT_CONTINUE'
undeclared (first  
> use in this function)
> net/ipv4/netfilter/ipt_SET.c:54: error: (Each
undeclared identifier is  
> reported only once
> net/ipv4/netfilter/ipt_SET.c:54: error: for each
function it appears in.)
> net/ipv4/netfilter/ipt_SET.c: At top level:
> net/ipv4/netfilter/ipt_SET.c:71: warning: 'struct
xt_target' declared  
> inside parameter list
> net/ipv4/netfilter/ipt_SET.c:117: warning: 'struct
xt_target' declared  
> inside parameter list
> net/ipv4/netfilter/ipt_SET.c:134: error: variable
'SET_target' has  
> initializer but incomplete type
> net/ipv4/netfilter/ipt_SET.c:135: error: unknown field
'name' specified  
> in initializer
> net/ipv4/netfilter/ipt_SET.c:135: warning: excess
elements in struct  
> initializer
> net/ipv4/netfilter/ipt_SET.c:135: warning: (near
initialization for  
> 'SET_target')
> net/ipv4/netfilter/ipt_SET.c:137: error: unknown field
'family'  
> specified in initializer
> net/ipv4/netfilter/ipt_SET.c:137: warning: excess
elements in struct  
> initializer
> net/ipv4/netfilter/ipt_SET.c:137: warning: (near
initialization for  
> 'SET_target')
> net/ipv4/netfilter/ipt_SET.c:139: error: unknown field
'target'  
> specified in initializer
> net/ipv4/netfilter/ipt_SET.c:139: warning: excess
elements in struct  
> initializer
> net/ipv4/netfilter/ipt_SET.c:139: warning: (near
initialization for  
> 'SET_target')
> net/ipv4/netfilter/ipt_SET.c:141: error: unknown field
'targetsize'  
> specified in initializer
> net/ipv4/netfilter/ipt_SET.c:141: warning: excess
elements in struct  
> initializer
> net/ipv4/netfilter/ipt_SET.c:141: warning: (near
initialization for  
> 'SET_target')
> net/ipv4/netfilter/ipt_SET.c:143: error: unknown field
'checkentry'  
> specified in initializer
> net/ipv4/netfilter/ipt_SET.c:143: warning: excess
elements in struct  
> initializer
> net/ipv4/netfilter/ipt_SET.c:143: warning: (near
initialization for  
> 'SET_target')
> net/ipv4/netfilter/ipt_SET.c:144: error: unknown field
'destroy'  
> specified in initializer
> net/ipv4/netfilter/ipt_SET.c:144: warning: excess
elements in struct  
> initializer
> net/ipv4/netfilter/ipt_SET.c:144: warning: (near
initialization for  
> 'SET_target')
> net/ipv4/netfilter/ipt_SET.c:145: error: unknown field
'me' specified in  
> initializer
> net/ipv4/netfilter/ipt_SET.c:146: warning: excess
elements in struct  
> initializer
> net/ipv4/netfilter/ipt_SET.c:146: warning: (near
initialization for  
> 'SET_target')
> net/ipv4/netfilter/ipt_SET.c: In function
'ipt_SET_init':
> net/ipv4/netfilter/ipt_SET.c:159: warning: implicit
declaration of  
> function 'xt_register_target'
> net/ipv4/netfilter/ipt_SET.c: In function
'ipt_SET_fini':
> net/ipv4/netfilter/ipt_SET.c:164: warning: implicit
declaration of  
> function 'xt_unregister_target'
> make[3]: *** [net/ipv4/netfilter/ipt_SET.o] Error 1
> make[2]: *** [net/ipv4/netfilter] Error 2
> make[1]: *** [net/ipv4] Error 2
> make: *** [net] Error 2
> anyone?

On Mon, 23 Jul 2007, £ukasz Nierych³o wrote:

> In my opninion ipset iptree still does not work as it
should be.
> My test:
>
> []# ipset -N viruses iptree --timeout 100
> []# ipset -A viruses 172.16.14.12
>
> Test1:
> []# ipset -T viruses 172.16.14.12
> 172.16.14.12 is in set viruses
> Test2:
> []# ipset -T viruses 172.16.14.111
> 172.16.14.111 is in set viruses
> Test3:
> []# ipset -T viruses 172.16.140.111
> 172.16.140.111 is NOT in set viruses
>
> ...
>
> Test2 172.16.14.111 shoud NOT be in set viruses, every
IP from example subnet 
> 172.16.14.0/24
> is reported as "in set", (look at test2).
>
> Everything is ok after IPTRE_GC_TIME 5*60  (line 33 in
ip_set_iptree.c)
> When I changed this label to 60 this module iptree
worked ok after 60s.
>
> To test again you have to unload ipset module.
Something is wrong few minutes
> after module is loaded...

That looks like a real bug. Which kernel and pom-ng version
are you using?

Best regards,
Jozsef
-
E-mail  : kadlecblackhole.kfki.hu, kadlecsunserv.kfki.hu
PGP key : http://
www.kfki.hu/~kadlec/pgp_public_key.txt
Address : KFKI Research Institute for Particle and Nuclear
Physics
           H-1525 Budapest 114, POB. 49, Hungary

> On Mon, 23 Jul 2007, £ukasz Nierych³o wrote:
>
>> In my opninion ipset iptree still does not work as
it should be.
>> My test:
>>
>> []# ipset -N viruses iptree --timeout 100
>> []# ipset -A viruses 172.16.14.12
>>
>> Test1:
>> []# ipset -T viruses 172.16.14.12
>> 172.16.14.12 is in set viruses
>> Test2:
>> []# ipset -T viruses 172.16.14.111
>> 172.16.14.111 is in set viruses
>> Test3:
>> []# ipset -T viruses 172.16.140.111
>> 172.16.140.111 is NOT in set viruses
>>
>> ...
>>
>> Test2 172.16.14.111 shoud NOT be in set viruses,
every IP from example  
>> subnet
>> 172.16.14.0/24
>> is reported as "in set", (look at
test2).
>>
>> Everything is ok after IPTRE_GC_TIME 5*60  (line 33
in ip_set_iptree.c)
>> When I changed this label to 60 this module iptree
worked ok after 60s.
>>
>> To test again you have to unload ipset module.
Something is wrong few  
>> minutes
>> after module is loaded...
>
> That looks like a real bug. Which kernel and pom-ng
version are you  
> using?

My kernel: 2.6.22.1 PREEMPT i686 pentium4
Patch: 130-netfilter-ipset.patch
 from this page
https://dev.openwrt.org/browser/tr
unk/target/linux/generic-2.6/patches-2.6.22/

This kernel was not pathed by any other patch than
130-netfilter-ipset.patch
140-netfilter_time.patch
150-netfilter_imq.patch

[]# ipset -V
ipset v2.2.9a Protocol version 2

The same was when I reported this
https://lists.netfilter.org/pipermail/netfil
ter/2007-May/068730.html
on earlier version of kernel ( + pom-ng )

£ukasz Nierych³o