RedHat has "fixed" this issue now... but as I explain there in comment 36, I don't think it's a real fix.
The key missing point, IMHO, is a functionality in ipset to atomically replace the existing sets with new sets (the atomically is crucial here for security reasons),... AND... that it is checked whether this replacement actually would work or not (based on how iptables/netfilter already uses any existing/old sets). In other words, I want for ipset what iptables-restore does for iptables. This is also the reasons why my own tries to implement this in a script have come to an end, since I think kernel support is needed for the whole functionality. Maybe we should add a bug asking for such functionality at the ipset package and have this bug blocked on that bug. Cheers, Chris.
smime.p7s
Description: S/MIME cryptographic signature
