Cause: the `regexp` used in the `ipset` service script to read existing set configuration entries and load them using the `ipset add` command didn't take into account the fact that the specification of bytes and packets statistics associated to configured entries is not a valid input for `ipset add`
Consequence: IP sets configured to store counters statistics couldn't be reloaded after being saved
Fix: the `ipset` service script has been reworked in such a way that single entries are not explicitly handled, and hence not passed to `ipset add`. Rather, full sets are configured at once via `ipset restore`
Result: bytes and packets statistics specified in set entries are not passed to `ipset add`, rather to `ipset restore`, which doesn't refuse creation of the entries containing that specification. It is now possible to properly restore sets configured to store match counters
Created attachment 1338798[details]
fix
Description of problem:
When running "systemctl start ipset" the following is logget in the journal when some unwanted entries exist in /etc/sysconfig/ipset:
Oct 15 12:04:18 th-dev-pkgbuilder.priv.tgho.nl systemd[1]: Starting IP sets for iptables...
Oct 15 12:04:18 th-dev-pkgbuilder.priv.tgho.nl ipset.start-stop[3927]: ipset v6.29: Unknown argument: `packets'
Oct 15 12:04:18 th-dev-pkgbuilder.priv.tgho.nl ipset.start-stop[3927]: Try `ipset help' for more information.
Oct 15 12:04:18 th-dev-pkgbuilder.priv.tgho.nl systemd[1]: Started IP sets for iptables.
Version-Release number of selected component (if applicable):
ipset-service-6.29-1.el7.noarch
How reproducible:
100%
Steps to Reproduce:
1. ipset create TESTIPSET hash:ip family inet counters
2. ipset restore > /etc/sysconfig/ipset
2. systemctl stop ipset
2. ipset restore < /etc/sysconfig/ipset
3. ipset add TESTIPSET 1.2.3.4
4. systemctl start ipset
Actual results:
No ipset error
Expected results:
Ipset error
Additional info:
The issue is caused by "ipset del" not accepting packest options like "ipset add" does. The fix is simple:
[root@th-dev-pkgbuilder ~]# diff -ruN /tmp/ipset.start-stop /usr/libexec/ipset/ipset.start-stop
--- /tmp/ipset.start-stop 2017-10-15 12:09:40.112499981 +0200
+++ /usr/libexec/ipset/ipset.start-stop 2017-10-15 12:13:11.638847017 +0200
@@ -78,7 +78,7 @@
# Now delete the set members no longer required
${IPSET_BIN} save | grep "^add " | sort >${TMP_FIFO} &
- grep "^add " ${IPSET_DATA} | sort | comm -23 ${TMP_FIFO} - | sed -e "s/^add /del /" \
+ grep "^add " ${IPSET_DATA} | sort | comm -23 ${TMP_FIFO} - | sed 's/\(add \+\)\([^ ]\+ \+\)\([^ ]\+\)\( .*$\)/del \2\3/' \
| ${IPSET_BIN} restore -!
# At last we can add the set members we haven't got
[root@th-dev-pkgbuilder ~]#
This assumes that no spaces are in any of the arguments of "ipset del".
Since the problem described in this bug report should be
resolved in a recent advisory, it has been closed with a
resolution of ERRATA.
For information on the advisory, and where to find the updated
files, follow the link below.
If the solution does not work for you, open a new bug report.
https://access.redhat.com/errata/RHBA-2018:3167
Created attachment 1338798 [details] fix Description of problem: When running "systemctl start ipset" the following is logget in the journal when some unwanted entries exist in /etc/sysconfig/ipset: Oct 15 12:04:18 th-dev-pkgbuilder.priv.tgho.nl systemd[1]: Starting IP sets for iptables... Oct 15 12:04:18 th-dev-pkgbuilder.priv.tgho.nl ipset.start-stop[3927]: ipset v6.29: Unknown argument: `packets' Oct 15 12:04:18 th-dev-pkgbuilder.priv.tgho.nl ipset.start-stop[3927]: Try `ipset help' for more information. Oct 15 12:04:18 th-dev-pkgbuilder.priv.tgho.nl systemd[1]: Started IP sets for iptables. Version-Release number of selected component (if applicable): ipset-service-6.29-1.el7.noarch How reproducible: 100% Steps to Reproduce: 1. ipset create TESTIPSET hash:ip family inet counters 2. ipset restore > /etc/sysconfig/ipset 2. systemctl stop ipset 2. ipset restore < /etc/sysconfig/ipset 3. ipset add TESTIPSET 1.2.3.4 4. systemctl start ipset Actual results: No ipset error Expected results: Ipset error Additional info: The issue is caused by "ipset del" not accepting packest options like "ipset add" does. The fix is simple: [root@th-dev-pkgbuilder ~]# diff -ruN /tmp/ipset.start-stop /usr/libexec/ipset/ipset.start-stop --- /tmp/ipset.start-stop 2017-10-15 12:09:40.112499981 +0200 +++ /usr/libexec/ipset/ipset.start-stop 2017-10-15 12:13:11.638847017 +0200 @@ -78,7 +78,7 @@ # Now delete the set members no longer required ${IPSET_BIN} save | grep "^add " | sort >${TMP_FIFO} & - grep "^add " ${IPSET_DATA} | sort | comm -23 ${TMP_FIFO} - | sed -e "s/^add /del /" \ + grep "^add " ${IPSET_DATA} | sort | comm -23 ${TMP_FIFO} - | sed 's/\(add \+\)\([^ ]\+ \+\)\([^ ]\+\)\( .*$\)/del \2\3/' \ | ${IPSET_BIN} restore -! # At last we can add the set members we haven't got [root@th-dev-pkgbuilder ~]# This assumes that no spaces are in any of the arguments of "ipset del".