[Bug 1750] New: 'ipset save' does not save in format loadable by systemd (it saves in 'ipset list' format)

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Sun Apr 21 01:20:03 CEST 2024 

https://bugzilla.netfilter.org/show_bug.cgi?id=1750

            Bug ID: 1750
           Summary: 'ipset save' does not save in format loadable by
                    systemd (it saves in 'ipset list' format)
           Product: ipset
           Version: unspecified
          Hardware: x86_64
                OS: All
            Status: NEW
          Severity: normal
          Priority: P5
         Component: default
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: drankinatty at gmail.com

Created attachment 741
  --> https://bugzilla.netfilter.org/attachment.cgi?id=741&action=edit
ipset save output snippet from '# ipset save'

This is a bug report submitted at the request of Archlinux to ipset upstream.
See corresponding Archlinux issue: 
https://gitlab.archlinux.org/archlinux/packaging/packages/ipset/-/issues/2

The current problem is simple. The `ipset save' command is not provided the
'save' format that is loadable by systemd when the system is started. Instead,
it 'ipset save' mirrors the format provided by `ipset list'` which cannot be
loaded by systemd to restore the ipsets at boot (or iptables stop/start, etc..)

This does not match the documentation provided in man 8 ipset. There is a
rather odd workaround that can produce the proper save format. That is to use
the command:

ipset -o save save > /etc/ipset.conf

To say it is rather confusing to have to use `ipset -o save save' instead of
the documented 'ipset save' (or to derive that workaround from the man page) is
an understatement. Sample output for the current 'ipset save' and the correct
output produced by 'ipset -o save save' is provided in the Archlinux gitlab
issue and an example is provided as an attachment here. 

The bug is fairly self-explanatory. The 'ipset save' format wire got somehow
crossed with the 'ipset list' format wire and that prevents 'ipset save' from
outputting the proper format that can be used to create and restore the ipsets
on start.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240420/cd786795/attachment.html>

More information about the netfilter-buglog mailing list