# ipset and kernel modules conflict? [SOLVED]

## rsa4046

Trying to emerge ipset, which is (at least as I understand from here ) the user utility to manipulate ipsets within the linux kernel. Per Gentoo's IPSet Wiki page, one needs the following in kernel settings:

```
[*] Networking support  --->

    Networking options  --->

    [*] Network packet filtering framework (Netfilter) --->

        <M>  IP set support --->

             Core Netfilter Configuration --->       

                <M>  set target and match support
```

I do indeed have IPSET support:

```
# grep CONFIG_IP_SET .config                                                                                                        

CONFIG_IP_SET=m

...

CONFIG_IP_SET_HASH_NET=m
```

and target and match support

```
# grep CONFIG_NETFILTER_XT_SET .config 

CONFIG_NETFILTER_XT_SET=m
```

and of course the sets I wants to apply, in my case:

```
<M>   IP set support  --->

    <M>   hash:net set support
```

So far so good. However, portage complains that the package requires the following:

```
# emerge -va ipset

These are the packages that would be merged, in order:

Calculating dependencies... done!

[ebuild  N     ] net-firewall/ipset-6.24::gentoo  USE="modules" 0 KiB

Total: 1 package (1 new), Size of downloads: 0 KiB

Would you like to merge these packages? [Yes/No] y

>>> Verifying ebuild manifests

>>> Emerging (1 of 1) net-firewall/ipset-6.24::gentoo

 * ipset-6.24.tar.bz2 SHA256 SHA512 WHIRLPOOL size ;-) ...                                                                   [ ok ]

 * Determining the location of the kernel source code

 * Found kernel source directory:

 *     /usr/src/linux

 * Found kernel object directory:

 *     /lib/modules/4.6.4-gentoo/build

 * Found sources for kernel version:

 *     4.6.4-gentoo

 * There is IP{,_NF}_SET or NETFILTER_XT_SET support in your kernel.

 * Please either build ipset with modules USE flag disabled

 * or rebuild kernel without IP_SET support and make sure

 * there is NO kernel ip_set* modules in /lib/modules/<your_kernel>/... .

 * ERROR: net-firewall/ipset-6.24::gentoo failed (setup phase):

 *   USE=modules and in-kernel ipset support detected.

 * 

 * Call stack:

 *           ebuild.sh, line 133:  Called pkg_setup

 *   ipset-6.24.ebuild, line  48:  Called die

 * The specific snippet of code:

 *                              die "USE=modules and in-kernel ipset support detected."

 * 

 * If you need support, post the output of `emerge --info '=net-firewall/ipset-6.24::gentoo'`,

 * the complete build log and the output of `emerge -pqv '=net-firewall/ipset-6.24::gentoo'`.

 * The complete build log is located at '/var/tmp/portage/net-firewall/ipset-6.24/temp/build.log'.

 * The ebuild environment file is located at '/var/tmp/portage/net-firewall/ipset-6.24/temp/die.env'.

 * Working directory: '/usr/lib64/python2.7/site-packages'

 * S: '/var/tmp/portage/net-firewall/ipset-6.24/work/ipset-6.24'

```

In other words, USE=modules and in-kernel ipset support are mutally exclusive. But this seems at odds with the wiki. Can anyone give me some guidance here?

----------

## Syl20

 *rsa4046 wrote:*   

> 
> 
> ```
>  * Found sources for kernel version:
> 
> ...

 

Certainly a dumb question, but is it the right kernel version ?

----------

## rsa4046

 *Syl20 wrote:*   

>  *rsa4046 wrote:*   
> 
> ```
>  * Found sources for kernel version:
> 
> ...

 

Hi Syl20, thanks for the reply. I checked this, and upgraded the kernel as well:

```
$ uname -a

Linux dolomit 4.7.0-gentoo #3 SMP PREEMPT Fri Jul 29 16:42:18 CEST 2016 x86_64 Intel(R) Xeon(R) CPU E5-1650 0 @ 3.20GHz GenuineIntel GNU/Linux
```

but with same complaint by portage.

Next I did as portage insisted, and removed support for IP_SET and NETFILTER_XT_SET and rebuilt the kernel. With this, some progress: the build phase succeeded, but then failed at the install (modules) step.

In the end I just turned off the modules USE flag -- this did succeed:

```
# eix ipset -I

[I] net-firewall/ipset

     Available versions:  6.24 {modules KERNEL="linux"}

     Installed versions:  6.24(05:15:02 PM 07/29/2016)(-modules KERNEL="linux")

     Homepage:            http://ipset.netfilter.org/

     Description:         IPset tool for iptables, successor to ippool
```

I guess I misunderstood how the tool works, in that it handles all ipset functions, whereas I thought its purpose was simply to administer kernel modules. Anways, I created ipset rules, saved them, started ipset, and then (as described in the wiki) added this set to iptables rules. So it does work, guess I just confused myself over the details of who has doing what. Solved.

----------

## gordonb3

How about setting USE="-modules" for the ipset package?

----------

## rsa4046

 *gordonb3 wrote:*   

> How about setting USE="-modules" for the ipset package?

 Hi Gordon, thanks for the reply. That's exactly what I did, and indeed this worked just fine. I believe I just misunderstood the functionality of the package itself and the way it interacts with the kernel modules. With 

```
net-firewall/ipset -modules
```

in /etc/portage/package.use, ipset installs and works great, really useful. Thanks again--   :Very Happy: 

----------

## gordonb3

Obviously Gentoo is all source. The "problem" with this particular package being that the custom kernel modules made it to mainstream. The logical choice here is to use the modules (or build ins) from the kernel source because you are likely to use your old config if you are building a new kernel and consequently will not have to rebuild the ipset package when switching kernels. Every now and then I still tend to forget that I need to rebuild other packages when upgrading a kernel and e.g. the firewall doesn't start because I have a xtables target in my rules that Linus annoyingly keeps refuses to add to the kernel sources. And I'm using that target for some twenty years now!

----------

