-This is the ipset source tree. Follow the next steps to install ipset:
+This is the ipset source tree. Follow the next steps to install ipset.
+If you upgrade from an earlier 5.x release, please read the UPGRADE
+instructions too.
-0. You need the source tree of your kernel (version >= 2.6.31)
- and it have to be configured (with ip6tables support), modules compiled.
- Please apply the netlink.patch against your kernel tree
- (with kernel <= 2.6.31.1 please use the patch netlink.patch-2.6.31.1).
+0. You need the source tree of your kernel (version >= 2.6.32)
+ and it have to be configured with ip6tables support enabled,
+ modules compiled. For kernel versions < 2.6.39 please apply
+ the netlink.patch against your kernel tree, which adds the
+ new subsystem identifier for ipset.
- Recompile and install the patched kernel and its modules.
+ Recompile and install the patched kernel and its modules. Please note,
+ you have to run the patched kernel for ipset to work.
The ipset source code depends on the libmnl library so the library
- must be installed.
+ must be installed. You can download the libmnl library from
+
+ git://git.netfilter.org/libmnl.git
1. Initialize the compiling environment for ipset. The packages automake,
- autoconf and libtool are required.
+ autoconf, pkg-config and libtool are required.
% ./autogen.sh
Configure parameters can be used to to override the default path
to the kernel source tree (/lib/modules/`uname -r`/build),
- the maximum number of sets (256), the default hash sizes (1024)
- or disable the extra compiler warning flags if your compiler
- does not support all of them. See `./configure --help`.
+ the maximum number of sets (256), the default hash sizes (1024).
+ See `./configure --help`.
% ./configure
% make
Read the ipset(8) and iptables(8), ip6tables(8) manpages on how to use
ipset and its match and target from iptables.
+
+Compatibilities and incompatibilities:
+
+- The ipset 6.x userspace utility contains a backward compatibility
+ interface to support the commandline syntax of ipset 4.x.
+ The commandline syntax of ipset 6.x is fully compatible with 5.x.
+- The ipset 6.x userspace utility can't talk to the kernel part of ipset 5.x
+ or 4.x.
+- The ipset 6.x kernel part can't talk to the userspace utility from
+ ipset 5.x or 4.x.
+- The ipset 6.x kernel part can work together with the set match and SET
+ target from iptables 1.4.7 and below, however if you need the IPv6 support
+ from ipset 6.x, then you have to use iptables 1.4.9 or above.
+
+The ipset 6.x can interpret the commandline syntax of ipset 4.x, however
+some internal changes mean different behaviour:
+
+- The "--matchunset" flag for the macipmap type is ignored and not used
+ anymore.
+- The "--probes" and "--resize" parameters of the hash types are ignored
+ and not used anymore.
+- The "--from", "--to" and "--network" parameters of the ipporthash,
+ ipportiphash and ipportnethash types are ignored and not used anymore.
+- The hash types are not resized when new entries are added by the SET
+ target. If you use a set together with the SET target, create it with
+ the proper size because it won't be resized automatically.
+- The iptree, iptreemap types are not implemented in ipset 6.x. The types
+ are automatically substituted with the hash:ip type.