Created attachment 286891 [details] ipset initscript (from irc): anarchy, blueness, dabbott, patrick, williamh: I've got some weird behavior with an initscript i wrote for ipset... when i add rc_need="ipset" to /etc/conf.d/iptables, iptables seems to properly hand off the starting of ipset (which needs to happen prior to iptables), but then ipset backtracks and waits for iptables to finish what it was doing (at least that's my understanding of what's happening) box:~$ /etc/init.d/net.eth2 start net.eth2 | * Caching service dependencies ... [ ok ] net.eth2 | * net.eth2: waiting for ipset (50 seconds) ipset | * ipset: waiting for iptables (50 seconds) iptables | * iptables: waiting for ipset (50 seconds) net.eth2 | * net.eth2: waiting for ipset (41 seconds) iptables | * iptables: waiting for ipset (41 seconds) ipset | * ipset: waiting for iptables (41 seconds) net.eth2 | * net.eth2: waiting for ipset (32 seconds) iptables | * iptables: waiting for ipset (32 seconds) ipset | * ipset: waiting for iptables (32 seconds) net.eth2 | * net.eth2: waiting for ipset (23 seconds) ipset | * ipset: waiting for iptables (23 seconds) iptables | * iptables: waiting for ipset (23 seconds) net.eth2 | * net.eth2: waiting for ipset (14 seconds) ipset |iptables | * * ipset: waiting for iptables (14 seconds)iptables: waiting for ipset (14 seconds) net.eth2 | * net.eth2: waiting for ipset (5 seconds) ipset | * ipset: waiting for iptables (5 seconds) iptables | * iptables: waiting for ipset (5 seconds) net.eth2 | * net.eth2: timed out waiting for ipset net.eth2 | * ERROR: cannot start net.eth2 as ipset would not start iptables | * iptables: timed out waiting for ipset iptables | * ERROR: cannot start iptables as ipset would not start ipset | * ipset: timed out waiting for iptables ipset | * Loading ipset state ... [ ok ] box:~$ /etc/init.d/net.eth2 start iptables | * Loading iptables state and starting firewall ... [ ok ] net.eth2 | * Bringing up interface eth2 net.eth2 | * Running preup ... net.eth2 | * dhcp ... net.eth2 | * Running dhclient ... [ ok ] net.eth2 | * received address 10.255.0.188/21 [ ok ] net.eth2 | * 192.168.100.2/24 ... [ ok ] net.eth2 | * Running postup ... net.eth2 | * Adding rules net.eth2 | * Generating dynamic rules net.eth2 | * add from all fwmark 0x1 pri 20 table 20 ... [ ok ] net.eth2 | * add from 10.255.0.188/21 pri 400 table 20 ... [ ok ] net.eth2 | * add from all to 10.255.0.188/21 pri 450 table 20 ... [ ok ] net.eth2 | * add from all pri 33400 table 20 ... [ ok ] net.eth2 | * adding SNAT iptables rule ... net.eth2 | * I will now add default route for dev eth2 table cm0 ... [ ok ] net.eth2 | * Flushing route cache for eth2 ... #### The only change to /etc/conf.d/iptables is adding rc_need="ipset" on the 2nd line. There is no return reference to iptables in ipset at all. In /etc/conf.d/net, there is rc_need_eth2="iptables" Expected behavior: Upon /etc/init.d/net.eth2 start iptables launches its ipset, ipset launches without referencing/attempting to launch iptables.
Created attachment 286893 [details] ipset-save sample/test sample ipset restore, use with something like iptables -A OUTPUT -m set --match-set test-host dst -j LOG
Hm this bug has nothing to do with ipset. I even had not commited ipset initscript to the tree. Allen, what openrc version do you use? Personally I'm unable to reproduce this problem with init script provided here.
(In reply to comment #2) > Hm this bug has nothing to do with ipset. I even had not commited ipset > initscript to the tree. > > Allen, what openrc version do you use? Personally I'm unable to reproduce this > problem with init script provided here. /me references the summary and what was previously written. short version: YES, i'm aware that this has nothing to do with ipset, complain to whoever added you. openrc version AGAIN is in the summary, or if you're lazy, it's 0.9.3-r1 (the latest available). With no reference from the provided ipset initscript to iptables, if rc_parallel=YES iptables correctly (via rc_need="ipset" in /etc/conf.d/iptables) launches ipset (modified iptables initscript), but then ipset, WITHOUT being told to do anything with iptables then attempts to launch iptables which is already trying to launch, thus becoming a loop.
Try with initscript, included in tree for ipset now(actually - included long time ago). If it still happens with it - feel free to reopen