Bug 846053 - Values given for ipset from command line grow big
Values given for ipset from command line grow big
Status: CLOSED CURRENTRELEASE
Product: Fedora
Classification: Fedora
Component: ipset (Show other bugs)
17
x86_64 Linux
unspecified Severity medium
: ---
: ---
Assigned To: Mathieu Bridon
Fedora Extras Quality Assurance
:
Depends On:
Blocks:
  Show dependency treegraph
 
Reported: 2012-08-06 12:56 EDT by Ilpo Nyyssonen
Modified: 2012-11-16 02:40 EST (History)
3 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2012-11-16 02:40:48 EST
Type: Bug
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Ilpo Nyyssonen 2012-08-06 12:56:37 EDT
# ipset list
# ipset create test hash:ip timeout 60
# ipset list
Name: test
Type: hash:ip
Header: family inet hashsize 1024 maxelem 65536 timeout 2290024448 
Size in memory: 16504
References: 0
Members:
#

I would expect that timeout to be a lot smaller.

# ipset list
# ipset create test hash:ip maxelem 16
# ipset list
Name: test
Type: hash:ip
Header: family inet hashsize 1024 maxelem 2659123200 
Size in memory: 16504
References: 0
Members:
#

Shouldn't it be what I gave?

Happens always.

Linux iny.iki.fi 3.4.5-2.fc17.x86_64 #1 SMP Mon Jul 16 20:52:08 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux
ipset-6.11-1.fc17.x86_64
libmnl-1.0.3-1.fc17.x86_64
Comment 1 Mathieu Bridon 2012-08-06 22:59:53 EDT
Thanks for the bug report.

Unfortunately, I don't have access to a Fedora 17 machine, only F16 and Rawhide, so I can't reproduce this bug.

Moreover, on Fedora 16 (which has the exact same version of ipset):
 # ipset list
 # ipset create test hash:ip timeout 60
 # ipset list
 Name: test
 Type: hash:ip
 Header: family inet hashsize 1024 maxelem 65536 timeout 60 
 Size in memory: 16504
 References: 0
 Members:

I'm wondering if that's not a difference in the kernel (ipset is part user-space, part kernel-space). :-/

I'm running a more recent kernel here on Fedora 16:
# uname -a
Linux localhost.localdomain 3.4.6-1.fc16.x86_64 #1 SMP Fri Jul 20 12:58:04 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

Could you try updating to the latest F17 kernel (3.5.0), and see if the issue is still present?
Comment 2 Ilpo Nyyssonen 2012-08-11 11:55:38 EDT
Linux localhost.localdomain 3.5.1-1.fc17.x86_64 #1 SMP Thu Aug 9 17:50:43 UTC 2012 x86_64 x86_64 x86_64 GNU/Linux

# ipset n test hash:ip maxelem 60
# ipset list
Name: test
Type: hash:ip
Header: family inet hashsize 1024 maxelem 905969664 
Size in memory: 16504
References: 0
Members:
Comment 3 Mathieu Bridon 2012-08-11 12:32:51 EDT
Thanks for the test.

I'm really confused though, I honestly have no idea where this is coming from.

Like I said, I can't reproduce it on Fedora 16, and my only other machine is running Fedora 18 (ipset-6.13, same kernel and libmnl as you), where I can't reproduce the problem either. :-/

I'll see if I can get a Fedora 17 VM running to try it out.
Comment 4 Anthony 2012-09-24 08:19:27 EDT
Fedora 17, kernel 3.5.4-1.fc17.i686.PAE, ipset-6.11-1.fc17.i686
doing the commands

ipset create virtual hash:ip,port,ip
ipset add virtual 10.0.0.1,110,10.0.0.2

Then, I do "ipset list" and see random values of port

Name: virtual
Type: hash:ip,port,ip
Header: family inet hashsize 1024 maxelem 65536 
Size in memory: 8328
References: 0
Members:
10.0.0.1,tcp:9737,10.0.0.2

on some types of ipsets a got a kernel panic when adding a first element to set
Comment 5 Mathieu Bridon 2012-09-26 01:00:20 EDT
So I really have no clue about this problem, I still can't reproduce it.

I just tried building the F18 packages for F17:
    http://bochecha.fedorapeople.org/ipset-rhbz846053/

Could you try them, and see if they fix your problem?
Comment 6 Anthony 2012-09-26 01:18:04 EDT
I try to rebuild i686 from src.rpm, and install on test virtual machine FC17, kernel 3.5.3-1.fc17.i686.PAE and its work fine!!!

Also test on real machine, FC17, kernel 3.5.4-1.fc17.i686.PAE and its work fine.

Tonight I will try to test on x86-64 machine
Comment 7 Mathieu Bridon 2012-09-26 01:45:41 EDT
(In reply to comment #6)
> I try to rebuild i686 from src.rpm,

Oh, sorry, I completely forgot about i686. >_<

> and install on test virtual machine
> FC17, kernel 3.5.3-1.fc17.i686.PAE and its work fine!!!
> 
> Also test on real machine, FC17, kernel 3.5.4-1.fc17.i686.PAE and its work
> fine.

You mean it fixes the problem you reported in comment 4?

That's good, could you also try whether the commands in comment 0 are fixed?

> Tonight I will try to test on x86-64 machine

Thanks.

I have to say I'm a bit worried about updating F17 at this time, as there's an ABI break between 6.11 and 6.13.

But if that's what fixes this bug, and if we can't easily isolate and backport the actual change, I'll do it.
Comment 8 Anthony 2012-09-27 00:47:15 EDT
FC17, kernel 3.5.2-3.fc17.x86_64, works as expected

[root@orion distr]# ipset create virtual hash:ip,port,ip
[root@orion distr]# ipset list
Name: virtual
Type: hash:ip,port,ip
Header: family inet hashsize 1024 maxelem 65536 
Size in memory: 16512
References: 0
Members:
[root@orion distr]# ipset add virtual 10.0.0.1,tcp:22-25,10.0.0.2
[root@orion distr]# ipset list
Name: virtual
Type: hash:ip,port,ip
Header: family inet hashsize 1024 maxelem 65536 
Size in memory: 16704
References: 0
Members:
10.0.0.1,tcp:22,10.0.0.2
10.0.0.1,tcp:24,10.0.0.2
10.0.0.1,tcp:23,10.0.0.2
10.0.0.1,tcp:25,10.0.0.2


"ipset save", "ipset restore" also works, on ipset 6.11 on restore operation I have got eating of all memory(48Gb) and swap(8Gb).
Comment 9 Mathieu Bridon 2012-09-27 01:28:47 EDT
Great!

Can you also try the two commands from the original comment?

  # ipset create test hash:ip timeout 60
  # ipset create test hash:ip maxelem 16

In both cases the values (for timeout and maxelem respectively) were completely wrong, I'd like to make sure this is all fixed before I decide pushing an update.
Comment 10 Anthony 2012-09-27 02:23:31 EDT
FC17, kernel 3.5.2-3.fc17.x86_64

ipset create test hash:ip timeout 60
ipset create test1 hash:ip maxelem 16


Name: test
Type: hash:ip
Header: family inet hashsize 1024 maxelem 65536 timeout 60 
Size in memory: 16504
References: 0
Members:

Name: test1
Type: hash:ip
Header: family inet hashsize 1024 maxelem 16 
Size in memory: 16504
References: 0
Members:
Comment 11 Mathieu Bridon 2012-09-27 02:26:10 EDT
Awesome, thanks a lot for the testing!
Comment 12 Mathieu Bridon 2012-09-27 04:08:42 EDT
So, if I'm updating Fedora 17, I might as well update all the way to the latest upstream release (which is already in F18).

If you have a moment, can you test that these packages still fix this bug:
    http://bochecha.fedorapeople.org/ipset-rhbz846053/

(this time I built both 32 and 64 bits :)
Comment 13 Bill Shirley 2012-11-06 04:18:20 EST
Evidently this fix hasn't been pushed to the repro. The timeout is still wrong:

[root@moses ~]# man uname
[root@moses ~]# uname -r
3.6.3-1.fc17.x86_64
[root@moses ~]# rpm -q ipset
ipset-6.11-1.fc17.x86_64
[root@moses ~]# ipset destroy test
[root@moses ~]# ipset create test hash:ip timeout 60
[root@moses ~]# ipset list test
Name: test
Type: hash:ip
Header: family inet hashsize 1024 maxelem 65536 timeout 4294967 
Size in memory: 16504
References: 0
Members:

Is the fix ready for prime-time?

Bill
Comment 14 Mathieu Bridon 2012-11-06 04:27:13 EST
(In reply to comment #13)
> Evidently this fix hasn't been pushed to the repro.

Of course it hasn't.

My last comment asked people to help me try a package with the fix, because I can't reproduce it myself.
Comment 15 Bill Shirley 2012-11-06 05:01:06 EST
(In reply to comment #14)
> (In reply to comment #13)
> > Evidently this fix hasn't been pushed to the repro.
> 
> Of course it hasn't.
> 
> My last comment asked people to help me try a package with the fix, because
> I can't reproduce it myself.

My apologies, I was assuming this had been confirmed.

This works for me:
[root@moses rpms]# uname -r
3.6.3-1.fc17.x86_64
[root@moses rpms]# rpm -q ipset
ipset-6.14-1.fc17.x86_64
[root@moses rpms]# ipset destroy test
[root@moses rpms]# ipset create test hash:ip timeout 60
[root@moses rpms]# ipset list test
Name: test
Type: hash:ip
Revision: 0
Header: family inet hashsize 1024 maxelem 65536 timeout 60 
Size in memory: 16504
References: 0
Members:

Thanks for fixing this,
Bill
Comment 16 Fedora Update System 2012-11-07 04:57:55 EST
ipset-6.14-1.fc17 has been submitted as an update for Fedora 17.
https://admin.fedoraproject.org/updates/ipset-6.14-1.fc17
Comment 17 Fedora Update System 2012-11-07 20:55:53 EST
Package ipset-6.14-1.fc17:
* should fix your issue,
* was pushed to the Fedora 17 testing repository,
* should be available at your local mirror within two days.
Update it with:
# su -c 'yum update --enablerepo=updates-testing ipset-6.14-1.fc17'
as soon as you are able to.
Please go to the following url:
https://admin.fedoraproject.org/updates/FEDORA-2012-17768/ipset-6.14-1.fc17
then log in and leave karma (feedback).
Comment 18 Fedora Update System 2012-11-16 02:40:49 EST
ipset-6.14-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Note You need to log in before you can comment on or make changes to this bug.