IPset support in 2.2?

[Vitaly]

I need to filter quite big ip list. IMHO, the most reasonable solution is ipset module for iptables.

AFAIK, ipset already exists in latest kernels, used in PVE 2.2, but CLI tool show error:

root@hz ~ # ipset -H
ipset v2.5.0: Kernel ipset code is of protocol version 6.I'm of protocol version 2.
Please upgrade your kernel and/or ipset(8) utillity.

1. Is there any way to make ipset work on HN ?
2. The same, but for containers (OpenVZ)

 

[tom]

looks like the ipset utility package is too old.

 

[networ]

There is a lot of confusion: the ipset utility that comes with the "ipset" package in Debian squeeze is obolete. There is a version of ipset which comes in two deb packages with Debian squeeze: xtables-addons-common which contains libs and tools (e.g. the ipset utility) and xtables-addons-source which contains sources of extensions targets and matches for iptables modules. The modules need to be built from sources using module-assistant.Installation:apt-get install module-assistant pve-headers-2.6.32-19-pveapt-get install xtables-addons-common xtables-addons-sourcemodule-assistant preparemodule-assistant --text-mode auto-install xtables-addons-sourceThis will build and install the package with modules in /usr/src. In my case the package name isxtables-addons-modules-2.6.32-19-pve_1.26-2_amd64.debroot@proxmox:~# ipset -Hipset v4.2Then following example worked:ipset -N testset iphashipset -A testset 65.55.57.27ipset -A testset 77.75.76.3# ban traffic to destinations listed in ipset "testset"iptables -I OUTPUT -m set -j DROP --match-set testset dstUnfortunatelly the above worked on the hardware node only. I couldn't make it working in my OpenVZ containter (32-bit Debian squeeze)samantha144:/# ipset -Hipset v4.2: Couldn't verify kernel module version!I was trying to edit IPTABLES= in /etc/vz/vz.conf but it seems that the problem is somewhere else.ntw