Re: [bitfolk] ipset, iphash and Bitfolk kernels

Hello Gerald, On 28/12/12 11:58, Gerald Davies wrote: [snip] I have the stock version iptables: # iptables --version iptables v1.4.8 It seems to understand sets. Here is basically what I did in a test script (with BASH debugging on): ---start--- # ./ipset-create.sh + /usr/local/sbin/ipset create droplist hash:net + /usr/local/sbin/ipset add droplist 27.8.0.0/12 + /usr/local/sbin/ipset add droplist 27.24.0.0/13 + /usr/local/sbin/ipset add droplist 27.36.0.0/13 + /usr/local/sbin/ipset add droplist 27.44.0.0/14 + /usr/local/sbin/ipset add droplist 27.50.128.0/17 + /usr/local/sbin/ipset add droplist 27.54.192.0/18 + /usr/local/sbin/ipset add droplist 27.144.0.0/16 + /usr/local/sbin/ipset add droplist 27.148.0.0/10 + /usr/local/sbin/ipset add droplist 27.212.0.0/12 + /usr/local/sbin/ipset add droplist 58.14.0.0/13 + /usr/local/sbin/ipset add droplist 58.22.0.0/14 ---end--- So now we have this: # ipset list Name: droplist Type: hash:net Header: family inet hashsize 1024 maxelem 65536 Size in memory: 8884 References: 0 Members: 27.208.0.0/12 27.24.0.0/13 58.8.0.0/13 27.50.128.0/17 27.0.0.0/12 27.144.0.0/16 27.44.0.0/14 58.20.0.0/14 27.128.0.0/10 27.54.192.0/18 27.32.0.0/13 Some iptable-hackery: # iptables -A INPUT -m set --set droplist src -j DROP No error messages, which is good! A good grep at the current netfilter situation shows this: # iptables -L -n -v | grep set 0 0 DROP all -- * * 0.0.0.0/0 0.0.0.0/0 match-set droplist src Awesome! :-) So it's only ipset that needs to be compiled, the standard iptables seems to be happy with the 3.2.0 kernel. -- Regards, Jan Henkins