replacing a runtime instance of ipset

Question

I have a running instance of iptables and ipset services. Among them one set has a spec similar to this that has 20+ references to it:

create_set foo ipmap --network 123.45.67.0/24
add_to_set foo host1
add_to_set foo host2

where host1 and 2 are say 123.45.67.5 and 123.45.67.6.

I need to add host3 to the set that is on a different subnet than 67, e.g., 123.45.66.0. I would like to enlarge the set foo to 123.45.0.0/16. The problem I am getting when trying to re-define foo (no error) and add host3 (say 123.45.66.5) while it is running and then getting the "out of range" error from the ipset command. It turns out ipset does not reload sets with references.

Now all this is scripted with scripts and makefiles to keep the ipset and iptables services down as little as possible while updating either sets or the rules. There are hundreds of sets and rules saved and reloaded. Can I (and if yes, how) replace a running set by its enlarged version? It seems I can only do it by shutting down iptables and ipset, making my changes, and then reloading, but can't rebuild it on the fly; otherwise it complains the set specification is wrong when trying to add the host3 entry from another subnet. (There may be other hosts all over the place in 123.45.x.x added later on.)

This happens on EL5 and EL6 running either ipset 4.5 or 6.11.

score 4 · Accepted Answer · answered Jun 06 '18 at 21:34

4

You should create NEW set with

ipset create foo-new ...

add entries there and then swap the two:

ipset swap foo-new foo

and destroy the no longer needed set:

ipset destroy foo-new

answered Jun 06 '18 at 21:34

Tomek

3,390
1
16
10

So this is like a shortcut for what I did it seems with my rename. – Serguei Jan 05 '21 at 06:37

Serguei · Answer 2 · 2017-09-07T21:01:18.060

0

Well, I have found something what I believe is acceptable in the end. Should better answers pop up, I will re-evaluate this one.

The trick is to rename the problematic set, and then re-create a new, enlarged, set with the original name, e.g., assuming the sets and IPs in the question:

/usr/bin/ipset --rename foo foo-old
/usr/bin/ipset --create foo ipmap 123.45.0.0/16
/usr/bin/ipset --add foo 123.45.67.5
/usr/bin/ipset --add foo 123.45.67.6
/usr/bin/ipset --add foo 123.45.66.5

and it worked for me. Can then --save. When restarting ipset, the references migrated to the new instance and the old can can be safely discarded if not saved.

edited Sep 07 '17 at 21:01

answered Aug 26 '17 at 02:07

Serguei

127
9

This will fail if the set is in use (eg: by an iptables rule). – A.B Sep 20 '20 at 10:37
It worked for me (precisely in the scenario when `foo` that became `foo-old` was in use). – Serguei Jan 05 '21 at 06:35

replacing a runtime instance of ipset

2 Answers2