FS#54708 - [ipset] Add option '-exist' for ipset restore commands in ipset.service

Attached to Project: Arch Linux
Opened by Indrajit Raychaudhuri (indrajitr) - Wednesday, 05 July 2017, 19:12 GMT
Last edited by Sébastien Luttringer (seblu) - Saturday, 08 July 2017, 13:47 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Sébastien Luttringer (seblu)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 0
Private No

Details

Description:

ipset restore command in ipset.service fails when 'systemctl reload ipset.service' is executed multiple time with the following error:

ipset v6.32: Error in line 2: Set cannot be created: set with the same name already exists

Additional info:
* package version(s): ipset 6.32-1

Steps to reproduce:

1. Create a standard '/etc/ipset.conf' with following minimal content:

```
flush
create bogon hash:net family inet hashsize 1024 maxelem 65536 comment
add bogon 224.0.0.0/3
add bogon 0.0.0.0/8
add bogon 169.254.0.0/16
```

2. Execute 'systemctl reload ipset.service' multiple times. The command would fail after the first time with the following error:

ipset v6.32: Error in line 2: Set cannot be created: set with the same name already exists.

Possible solution:

This can fix by adjusting the 'ExecReload=' value to have '-exist' option. It might also be useful to adjust 'ExecStart=' value as well.

Thus we can have the following in ipset.service:

ExecStart=/usr/bin/ipset -exist -f /etc/ipset.conf restore
ExecReload=/usr/bin/ipset -exist -f /etc/ipset.conf restore
This task depends upon

Closed by  Sébastien Luttringer (seblu)
Saturday, 08 July 2017, 13:47 GMT
Reason for closing:  Not a bug
Comment by Indrajit Raychaudhuri (indrajitr) - Friday, 07 July 2017, 16:25 GMT
Additional notes:

'ExecStop' also needs to be prefixed with '-' so that non-zero exit code is ignored and the execution is marked successful.
This is necessary because the operation 'ipset destroy' would fail when iptables is active and has references to the ip sets.

So ipset.service should the following:

[Service}
ExecStart=/usr/bin/ipset -exist -f /etc/ipset.conf restore
ExecReload=/usr/bin/ipset -exist -f /etc/ipset.conf restore
ExecStop=-/usr/bin/ipset destroy
Comment by Sébastien Luttringer (seblu) - Saturday, 08 July 2017, 12:15 GMT
If you want to use reload instead of restart, you should handle -exist in your ipset.conf and be sure that you don't have deleted elements.

Loading...