Bug 1037660

Summary: ipset doesn't refresh the timeout for an existing entry when the table is FULL.
Product: [Fedora] Fedora Reporter: Account closed by the user <b38617>
Component: ipsetAssignee: Mathieu Bridon <bochecha>
Status: CLOSED UPSTREAM QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: unspecified Docs Contact:
Priority: unspecified    
Version: 19CC: bochecha, joseluis.gms, twoerner
Target Milestone: ---   
Target Release: ---   
Hardware: x86_64   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2014-09-23 20:55:31 UTC Type: Bug
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:

Description Account closed by the user 2013-12-03 15:00:07 UTC 
ipset doesn't refresh timeout for an existing entry when the table is FULL.

- Version-Release number of selected component:

kernel: 3.11.9-200.fc19.x86_64 and 3.11.10-200.fc19.x86_64
ipset: v6.16.1 and v6.20.1


- Steps to Reproduce:

# ipset create http hash:ip timeout 0 maxelem 5
# ipset add http 192.168.0.1
# ipset add http 192.168.0.2
# ipset add http 192.168.0.3
# ipset add http 192.168.0.4
# ipset list
Name: http
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 5 timeout 0
Size in memory: 16784
References: 0
Members:
192.168.0.3 timeout 0
192.168.0.4 timeout 0
192.168.0.1 timeout 0
192.168.0.2 timeout 0
# ipset add http 192.168.0.5 -exist timeout 60
(wait)# ipset list
Name: http
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 5 timeout 0
Size in memory: 16848
References: 0
Members:
192.168.0.3 timeout 0
192.168.0.4 timeout 0
192.168.0.5 timeout 41
192.168.0.1 timeout 0
192.168.0.2 timeout 0
# ipset add http 192.168.0.5 -exist timeout 60
ipset v6.20.1: Hash is full, cannot add more elements
# ipset list
Name: http
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 5 timeout 0
Size in memory: 16848
References: 0
Members:
192.168.0.3 timeout 0
192.168.0.4 timeout 0
192.168.0.5 timeout 21  <<<<---- It should be 60.
192.168.0.1 timeout 0
192.168.0.2 timeout 0


It works flawlessly when the tables is not full.

# ipset del http 192.168.0.4
# ipset add http 192.168.0.5 -exist timeout 60
(wait)# ipset list
Name: http
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 5 timeout 0
Size in memory: 16848
References: 0
Members:
192.168.0.3 timeout 0
192.168.0.5 timeout 38
192.168.0.1 timeout 0
192.168.0.2 timeout 0
# ipset add http 192.168.0.5 -exist timeout 60
# ipset list
Name: http
Type: hash:ip
Revision: 1
Header: family inet hashsize 1024 maxelem 5 timeout 0
Size in memory: 16848
References: 0
Members:
192.168.0.3 timeout 0
192.168.0.5 timeout 59    <<<<<----- OK
192.168.0.1 timeout 0
192.168.0.2 timeout 0
Comment 1 Mathieu Bridon 2013-12-04 03:48:32 UTC 
Thanks for the bug report.

You say it is reproducible with ipset 6.20.1, did you try that on F19 as well?
Comment 2 Account closed by the user 2013-12-04 11:57:03 UTC 
(In reply to Mathieu Bridon from comment #1)
> Thanks for the bug report.
> 
> You say it is reproducible with ipset 6.20.1, did you try that on F19 as
> well?

Yes, it happens in a fresh install of fedora 19.

thank you.
Comment 3 Mathieu Bridon 2013-12-04 14:48:28 UTC 
(In reply to Xose Vazquez Perez from comment #2)
> (In reply to Mathieu Bridon from comment #1)
> > Thanks for the bug report.
> > 
> > You say it is reproducible with ipset 6.20.1, did you try that on F19 as
> > well?
> 
> Yes, it happens in a fresh install of fedora 19.

Now I'm confused, because Fedora 19 doesn't have ipset 6.20.1

Did you try installing the Fedora 20 package on Fedora 19?

----------

Anyway, I can reproduce it on Fedora 20 as well:
kernel-3.11.9-300.fc20.x86_64
ipset-6.20.1-1.fc20.x86_64

I just now see that you've already opened a bug report for that. I was about to do it, so thanks a lot for being proactive here. :)

Let's see what upstream says.
Comment 4 Account closed by the user 2013-12-05 15:33:33 UTC 
(In reply to Mathieu Bridon from comment #3)

> Now I'm confused, because Fedora 19 doesn't have ipset 6.20.1

That's right. But...
 
> Did you try installing the Fedora 20 package on Fedora 19?

... I did rebuild also http://kojipkgs.fedoraproject.org//packages/ipset/6.20.1/1.fc21/src/ipset-6.20.1-1.fc21.src.rpm on F19.

> I just now see that you've already opened a bug report for that. I was about
> to do it, so thanks a lot for being proactive here. :)
> 
> Let's see what upstream says.

just waiting...
Comment 5 Account closed by the user 2014-09-18 19:28:24 UTC 
It still happens with:

kernel 3.16.3-200.fc20.x86_64
ipset v6.22, protocol version: 6 (ipset-6.22-1.fc20.x86_64)
Comment 6 Account closed by the user 2014-09-23 20:55:31 UTC 
Fixed upstream. It was in the kernel side: http://git.netfilter.org/ipset/commit/?id=d5927a73000ca784623feeab2b73facbd7fca3b0

-thanks-