Feature changed by: Jan Engelhardt (jengelh) Feature #308441, revision 2 Title: Use ip_set kernel option Package Wishlist: Unconfirmed Priority Requester: Desirable Requested by: Don Hughes (dehughes) Description: Compile RT kernel with the ip_set netfilter option, and include the ipset module in the distribution. The ipset module ( http://ipset.netfilter.org ) can be very useful in building firewalls for large networks.  It needs the ip_set kernel module. Creating a firewall black list with just iptables could entail a filter table with a very large number of entries which can have a significant performance impact. ipset can be used to build much more eficient lookup tables, improving performance. + Discussion: + #1: Jan Engelhardt (jengelh) (2009-12-05 13:23:58) + Reword this request: include "xtables-addons" (contains ipset already, + and no kernel recompile is needed). SRPM is in + http://jftp.medozas.de/. -- openSUSE Feature: https://features.opensuse.org/308441

Feature changed by: Don Hughes (dehughes) Feature #308441, revision 4 Title: Include the xtables-addons package Package Wishlist: Unconfirmed Priority Requester: Desirable Requested by: Don Hughes (dehughes) Description: - Compile RT kernel with the ip_set netfilter option, and include the - ipset module in the distribution. + The distribution currently contains the -j SET target and the -m set + extension module for iptables, but not the ipset module needed to + create and populate the referenced tables. + The ipset module is provided with the xtables-addons package (plus some + additional filtering tools). The ipset module ( http://ipset.netfilter.org ) can be very useful in - building firewalls for large networks.  It needs the ip_set kernel - module. - Creating a firewall black list with just iptables could entail a filter - table with a very large number of entries which can have a significant - performance impact. ipset can be used to build much more eficient - lookup tables, improving performance. + building firewalls for large networks.  Creating a firewall black list + with just iptables could entail a filter table with a very large number + of entries which can have a significant performance impact. ipset can + be used to build much more eficient lookup tables, improving + performance. +   + (Description modified based on comment #1) Discussion: #1: Jan Engelhardt (jengelh) (2009-12-05 13:23:58) Reword this request: include "xtables-addons" (contains ipset already, and no kernel recompile is needed). SRPM is in http://jftp.medozas.de/. -- openSUSE Feature: https://features.opensuse.org/308441

Feature changed by: Jan Engelhardt (jengelh) Feature #308441, revision 7 Title: Include the xtables-addons package Package Wishlist: Unconfirmed Priority Requester: Desirable Info Provider: Jan Engelhardt (jengelh) Requested by: Don Hughes (dehughes) Description: The distribution currently contains the -j SET target and the -m set extension module for iptables, but not the ipset module needed to create and populate the referenced tables. The ipset module is provided with the xtables-addons package (plus some additional filtering tools). The ipset module ( http://ipset.netfilter.org ) can be very useful in building firewalls for large networks.  Creating a firewall black list with just iptables could entail a filter table with a very large number of entries which can have a significant performance impact. ipset can be used to build much more eficient lookup tables, improving performance. (Description modified based on comment #1) Discussion: #1: Jan Engelhardt (jengelh) (2009-12-05 13:23:58) Reword this request: include "xtables-addons" (contains ipset already, and no kernel recompile is needed). SRPM is in http://jftp.medozas.de/. #2: Petr Uzel (puzel) (2009-12-30 12:44:06) (reply to #1) What's the advantage of xtables-addons over official ipset from netfilter team? I don't get the point with kernel recompilation. + #3: Jan Engelhardt (jengelh) (2009-12-30 14:16:56) (reply to #2) + Xtables-addons is the consensual successor to pom-ng, so decided on the + Netfilter Workshop 2008. It's just that... the netfilter.org webpage + does not get updated. For all inofficiality that it may still retain, + it does ship the official ipset including the extensions that once + lived in pom-ng (now well-maintained in Xt-a) in a single package. IOW, + build Xt-a, get ipset for free. + Re recompilation: xtables-addons is a KMP, while pom-ng was/is not. -- openSUSE Feature: https://features.opensuse.org/308441

Feature changed by: Jan Engelhardt (jengelh) Feature #308441, revision 9 Title: Include the xtables-addons package Package Wishlist: Unconfirmed Priority Requester: Desirable Info Provider: Jan Engelhardt (jengelh) Requested by: Don Hughes (dehughes) Description: The distribution currently contains the -j SET target and the -m set extension module for iptables, but not the ipset module needed to create and populate the referenced tables. The ipset module is provided with the xtables-addons package (plus some additional filtering tools). The ipset module ( http://ipset.netfilter.org ) can be very useful in building firewalls for large networks.  Creating a firewall black list with just iptables could entail a filter table with a very large number of entries which can have a significant performance impact. ipset can be used to build much more eficient lookup tables, improving performance. (Description modified based on comment #1) Discussion: #1: Jan Engelhardt (jengelh) (2009-12-05 13:23:58) Reword this request: include "xtables-addons" (contains ipset already, and no kernel recompile is needed). SRPM is in http://jftp.medozas.de/. #2: Petr Uzel (puzel) (2009-12-30 12:44:06) (reply to #1) What's the advantage of xtables-addons over official ipset from netfilter team? I don't get the point with kernel recompilation. #3: Jan Engelhardt (jengelh) (2009-12-30 14:16:56) (reply to #2) Xtables-addons is the consensual successor to pom-ng, so decided on the Netfilter Workshop 2008. It's just that... the netfilter.org webpage does not get updated. For all inofficiality that it may still retain, it does ship the official ipset including the extensions that once lived in pom-ng (now well-maintained in Xt-a) in a single package. IOW, build Xt-a, get ipset for free. Re recompilation: xtables-addons is a KMP, while pom-ng was/is not. #4: Petr Uzel (puzel) (2009-12-30 14:57:59) (reply to #3) Thanks for clarification, Jan. Since you are the expert in this area and openSUSE Factory is open, could you please take care of xtables-addons inclusion into openSUSE? + #5: Jan Engelhardt (jengelh) (2009-12-31 16:48:22) (reply to #4) + Please create new packages so that I can SR into them, or direct-import + them from + home:jengelh:network:utilities/xtables-addons + home:jengelh:network:utilities/xtables-geoip + (Do not mind that they are in network:utilities/. I think that is the + wrong place, but I happened to put it there randomly for a start.) -- openSUSE Feature: https://features.opensuse.org/308441

Feature changed by: Petr Uzel (puzel) Feature #308441, revision 12 Title: Include the xtables-addons package - Package Wishlist: Unconfirmed + Package Wishlist: Done Priority Requester: Desirable Info Provider: Jan Engelhardt (jengelh) Requested by: Don Hughes (dehughes) Partner organization: openSUSE.org Description: The distribution currently contains the -j SET target and the -m set extension module for iptables, but not the ipset module needed to create and populate the referenced tables. The ipset module is provided with the xtables-addons package (plus some additional filtering tools). The ipset module ( http://ipset.netfilter.org ) can be very useful in building firewalls for large networks.  Creating a firewall black list with just iptables could entail a filter table with a very large number of entries which can have a significant performance impact. ipset can be used to build much more eficient lookup tables, improving performance. (Description modified based on comment #1) Discussion: #1: Jan Engelhardt (jengelh) (2009-12-05 13:23:58) Reword this request: include "xtables-addons" (contains ipset already, and no kernel recompile is needed). SRPM is in http://jftp.medozas.de/. #2: Petr Uzel (puzel) (2009-12-30 12:44:06) (reply to #1) What's the advantage of xtables-addons over official ipset from netfilter team? I don't get the point with kernel recompilation. #3: Jan Engelhardt (jengelh) (2009-12-30 14:16:56) (reply to #2) Xtables-addons is the consensual successor to pom-ng, so decided on the Netfilter Workshop 2008. It's just that... the netfilter.org webpage does not get updated. For all inofficiality that it may still retain, it does ship the official ipset including the extensions that once lived in pom-ng (now well-maintained in Xt-a) in a single package. IOW, build Xt-a, get ipset for free. Re recompilation: xtables-addons is a KMP, while pom-ng was/is not. #4: Petr Uzel (puzel) (2009-12-30 14:57:59) (reply to #3) Thanks for clarification, Jan. Since you are the expert in this area and openSUSE Factory is open, could you please take care of xtables-addons inclusion into openSUSE? #5: Jan Engelhardt (jengelh) (2009-12-31 16:48:22) (reply to #4) Please create new packages so that I can SR into them, or direct-import them from home:jengelh:network:utilities/xtables-addons home:jengelh:network:utilities/xtables-geoip (Do not mind that they are in network:utilities/. I think that is the wrong place, but I happened to put it there randomly for a start.) #6: Petr Uzel (puzel) (2010-01-05 12:09:06) (reply to #5) I've put the packages in Base:System (not sure this is the correct place, but iptables are also there, so let's keep these packages together). I've set you (and myself) as maintainers, so you should be able to submit directly into the packages. I'd suggest you to issue a submit request to Factory as you are going to be the package maintainer - is that OK for you? Please let me know if there is something I can help you with in regard to these new packages. Thanks a lot, Jan! -- openSUSE Feature: https://features.opensuse.org/308441