The suffix used by /etc/init.d/ipset for temporary sets effectively/artificially limits the length of supported set names. The ipset init script supports 'reload' by building new temporary replacement sets, then atomically swaps these in and destroys the old. This is great. But, the temp sets are created by adding a '_atomic_temp' suffix to each existing set name. ipset names are limited to 31 characters long: # ipset create 1234567891123456789212345678931 hash:ip # ipset create 12345678911234567892123456789312 hash:ip ipset v7.17: Syntax error: setname '12345678911234567892123456789312' is longer than 31 characters The suffix is 12 characters long, effectively reducing the usable length to 19 characters: # ipset create 12345678911234567892 hash:ip # /etc/init.d/ipset reload * Reloading ipsets ... ipset v7.17: Syntax error: setname '12345678911234567892_atomic_temp' is longer than 31 characters * Failed to swap in new ipset 12345678911234567892 [ !! ] ipset v7.17: Syntax error: setname '12345678911234567892_atomic_temp' is longer than 31 characters * Failed to delete obsolete ipset 12345678911234567892_atomic_temp [ ok ] 19 characters isn't short, but still, it's less than 2/3 of the available ipset name length. Perhaps we could go with a much shorter annotation, such as use a prefix or suffix of .tmp. or _tmp (ipset permits names to start with . or _). Whatever is chosen, might also make sense to scan the existing sets first just in case a local set uses names that match the prefix or suffix, and refuse to proceed if found.
Oh, yikes.
Submitted a PR that makes the suffix tunable. Includes a check to make sure the configured name doesn't conflict with existing set names. It sticks with our current/historical suffix of _atomic_temp, but I'd actually recommend we do just .t, as the whole motivation for this is that our suffix is more than 1/3 the short fixed limit for ipset names (12 of 31 characters).
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=3262040cbde4a5738ee7c6b41a3038001ab383d8 commit 3262040cbde4a5738ee7c6b41a3038001ab383d8 Author: Hank Leininger <hlein@korelogic.com> AuthorDate: 2023-06-17 17:21:56 +0000 Commit: Sam James <sam@gentoo.org> CommitDate: 2023-06-17 17:59:39 +0000 net-firewall/ipset: Make temp suffix configurable Signed-off-by: Hank Leininger <hlein@korelogic.com> Closes: https://bugs.gentoo.org/908235 Closes: https://github.com/gentoo/gentoo/pull/31516 Signed-off-by: Sam James <sam@gentoo.org> net-firewall/ipset/files/ipset.confd-r1 | 19 +++++ net-firewall/ipset/files/ipset.initd-r5 | 105 ++++++++++++++++++++++++++++ net-firewall/ipset/ipset-7.17-r1.ebuild | 119 ++++++++++++++++++++++++++++++++ 3 files changed, 243 insertions(+)
(In reply to Larry the Git Cow from comment #3) > The bug has been closed via the following commit(s): > > https://gitweb.gentoo.org/repo/gentoo.git/commit/ > ?id=3262040cbde4a5738ee7c6b41a3038001ab383d8 > > commit 3262040cbde4a5738ee7c6b41a3038001ab383d8 > Author: Hank Leininger <hlein@korelogic.com> > AuthorDate: 2023-06-17 17:21:56 +0000 > Commit: Sam James <sam@gentoo.org> > CommitDate: 2023-06-17 17:59:39 +0000 > > net-firewall/ipset: Make temp suffix configurable > > Signed-off-by: Hank Leininger <hlein@korelogic.com> > Closes: https://bugs.gentoo.org/908235 > Closes: https://github.com/gentoo/gentoo/pull/31516 > Signed-off-by: Sam James <sam@gentoo.org> > > net-firewall/ipset/files/ipset.confd-r1 | 19 +++++ > net-firewall/ipset/files/ipset.initd-r5 | 105 ++++++++++++++++++++++++++++ > net-firewall/ipset/ipset-7.17-r1.ebuild | 119 > ++++++++++++++++++++++++++++++++ > 3 files changed, 243 insertions(+) the ipset.confd-r1 add the `TEMP_SUFFIX` with default value `.t`, but in ipset.initd-r5 file, it match `TEMP_SUFFIX` with `grep -E`, that will cause grep use dot `.` to match any single character. e.g: I have two set, name with one_set and two_set: echo "$running_ipset_list" | grep -q -E "${TEMP_SUFFIX}( |$)" will match `one_s[et] two_s[et]` as temp subnet maybe the default value should `\.t` better?
