I've just started experimenting with ipset under CentOS 6, and have found what appears to be a bug (or poor design) in the init scripts for ipset, /etc/rc.d/init.d/ipset
In stop(), save() and status(), it does lsmod to check for the existence of the ip_set module. If the module is not found, it exits without performing any action.
This doesn't take account of a kernel where the ip_set code is compiled in instead of being a loadable module. An example would be my CentOS 6 virtual machine at Linode. It has a Linode-compiled kernel 4.1.0 with no separately-loaded modules. It certainly supports ipset, as I have successfully tried some test rules. However, I wondered why giving the command "service ipset save" didn't result in /etc/sysconfig/ipset being written, and discovered the cause I described above.
Surely there should be a better way of determining whether the kernel includes ipset support than just looking for a module?
Cheers Tony
On Thu, Sep 24, 2015 at 02:43:42PM +0000, Tony Mountifield wrote:
I've just started experimenting with ipset under CentOS 6, and have found what appears to be a bug (or poor design) in the init scripts for ipset, /etc/rc.d/init.d/ipset
I suggest filing a bug against RHEL6 in https://bugzilla.redhat.com/ if you think it needs to be fixed. CentOS just rebuilds the RHEL sources.