Hello, if ipset set with type list (list:set) exists and is non-empty (includes references to other sets), ipset will refuse to stop even when iptables is stopped, because sets included into list:set have non-zero references counters corresponding to their membership into list:set. The following rules illustrate this problem: # cat /var/lib/ipset/rules-save create private_net hash:net family inet hashsize 64 maxelem 8 add private_net 10.0.0.0/8 create multi_net hash:net family inet hashsize 64 maxelem 8 add multi_net 224.0.0.0/4 create local_net list:set size 4 add local_net private_net add local_net multi_net # ipset list Name: private_net Type: hash:net Header: family inet hashsize 64 maxelem 8 Size in memory: 916 References: 1 Members: 10.0.0.0/8 Name: multi_net Type: hash:net Header: family inet hashsize 64 maxelem 8 Size in memory: 852 References: 1 Members: 224.0.0.0/4 Name: local_net Type: list:set Header: size 4 Size in memory: 48 References: 0 Members: private_net multi_net In order to fix this in-use inits script check should be changed: we need to count number of all references and substract total count of members in all list:set entries. Proposed patch does this. Currently only list:set can use other sets, so ATM this fix is sufficient.
Created attachment 294847 [details, diff] ipset.initd.diff Proposed patch for init.d script.
And please note, ipset flush is required, because otherwise list:set entries will not be cleared and sets using by them can't be destroyed.
Thank you for this job! Fixed in 6.10.
