Skip to content

ipset enabled fails to restore /etc/ipset.conf

Description:

ipset save does not save the ipsets in a format that can be loaded by systemd with ipset enabled. Instead, ipset save currently saves in the identical format to ipset list. This was investigated on the forum under the same name ipset enabled fails to restore /etc/ipset.conf

Additional info:

  • package version(s): ipset 7.20-1
  • config and/or log files: (snippets from ipset save > /etc/ipset.conf below)
  • link to upstream bug report, if any: unknown

Steps to reproduce:

  1. Configure ipset per the Archlinux wiki and save your ipsets with ipset save > /etc/ipset.conf
  2. Attempt to restart iptables (or reboot)
  3. ipset will fail attempting to load the saved /etc/ipset.conf with the following:
18:02 valkyrie:~> systemctl status ipset
× ipset.service - Loading IP Sets
     Loaded: loaded (/usr/lib/systemd/system/ipset.service; enabled; preset: disabled)
     Active: failed (Result: exit-code) since Wed 2024-04-10 17:06:05 CDT; 56min ago
    Process: 1399 ExecStart=/usr/bin/ipset -f /etc/ipset.conf restore (code=exited, status=2)
   Main PID: 1399 (code=exited, status=2)
        CPU: 3ms

Apr 10 17:06:05 valkyrie systemd[1]: Starting Loading IP Sets...
Apr 10 17:06:05 valkyrie ipset[1399]: ipset v7.20: No command specified: unknown argument Name:
Apr 10 17:06:05 valkyrie ipset[1399]: Try `ipset help' for more information.
Apr 10 17:06:05 valkyrie systemd[1]: ipset.service: Main process exited, code=exited, status=2/INVALIDARGUMENT
Apr 10 17:06:05 valkyrie systemd[1]: ipset.service: Failed with result 'exit-code'.
Apr 10 17:06:05 valkyrie systemd[1]: Failed to start Loading IP Sets.

(ipset restore results in the same error)

The snippets from the /etc/ipset.conf resulting from ipset save > /etc/ipset.conf is provided below and it is the format for ipset list not ipset save which causes the failure, e.g.

# cat /etc/ipset.conf
Name: blocklist
Type: hash:net
Revision: 7
Header: family inet hashsize 1024 maxelem 65536 bucketsize 12 initval 0xf3661058
Size in memory: 8856
References: 0
Number of entries: 194
Members:
167.94.138.0/24
199.45.154.0/23
43.130.0.0/18
43.129.192.0/18
43.157.32.0/24
<snip>

Name: whitelist
Type: hash:ip
Revision: 6
Header: family inet hashsize 1024 maxelem 65536 bucketsize 12 initval 0xfa0e1f24
Size in memory: 1816
References: 0
Number of entries: 42
Members:
212.187.231.66
93.93.130.214
151.101.129.91
91.193.113.65
87.238.57.227
93.93.130.133
<snip>

Name: whitelistnet
Type: hash:net
Revision: 7
Header: family inet hashsize 1024 maxelem 65536 bucketsize 12 initval 0xc9e0aa3d
Size in memory: 504
References: 0
Number of entries: 1
Members:
151.101.129.0/24

-thc looked into this in the forum thread and came up with the command ipset -o save save > /etc/ipset.conf which DOES work and save the set in a format that systemd will load on reboot. However, he is also of the mind that this is indeed a bug that needs looking into.

Edited by David C. Rankin
To upload designs, you'll need to enable LFS and have an admin enable hashed storage. More information