Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 383493 - sys-apps/openrc-0.9.3-r1, net-firewall/ipset, net-firewall/iptables: Circular Dependency with custom init script for net-firewall/ipset
Summary: sys-apps/openrc-0.9.3-r1, net-firewall/ipset, net-firewall/iptables: Circular...
Status: RESOLVED OBSOLETE
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] baselayout (show other bugs)
Hardware: AMD64 Linux
: Normal normal (vote)
Assignee: OpenRC Team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2011-09-18 13:47 UTC by Allen Parker
Modified: 2013-03-16 20:39 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
ipset initscript (ipset,1.07 KB, text/plain)
2011-09-18 13:47 UTC, Allen Parker
Details
ipset-save sample/test (ipset-save,185 bytes, text/plain)
2011-09-18 13:56 UTC, Allen Parker
Details

Note You need to log in before you can comment on or make changes to this bug.
Description Allen Parker 2011-09-18 13:47:22 UTC
Created attachment 286891 [details]
ipset initscript

(from irc):
anarchy, blueness, dabbott, patrick, williamh: I've got some weird behavior with an initscript i wrote for ipset... when i add rc_need="ipset" to /etc/conf.d/iptables, iptables seems to properly hand off the starting of ipset (which needs to happen prior to iptables), but then ipset backtracks and waits for iptables to finish what it was doing (at least that's my understanding of what's happening) 


box:~$ /etc/init.d/net.eth2 start
net.eth2            | * Caching service dependencies ...                                                  [ ok ]
net.eth2            | * net.eth2: waiting for ipset (50 seconds)
ipset               | * ipset: waiting for iptables (50 seconds)
iptables            | * iptables: waiting for ipset (50 seconds)
net.eth2            | * net.eth2: waiting for ipset (41 seconds)
iptables            | * iptables: waiting for ipset (41 seconds)
ipset               | * ipset: waiting for iptables (41 seconds)
net.eth2            | * net.eth2: waiting for ipset (32 seconds)
iptables            | * iptables: waiting for ipset (32 seconds)
ipset               | * ipset: waiting for iptables (32 seconds)
net.eth2            | * net.eth2: waiting for ipset (23 seconds)
ipset               | * ipset: waiting for iptables (23 seconds)
iptables            | * iptables: waiting for ipset (23 seconds)
net.eth2            | * net.eth2: waiting for ipset (14 seconds)
ipset               |iptables            | *  * ipset: waiting for iptables (14 seconds)iptables: waiting for ipset (14 seconds)

net.eth2            | * net.eth2: waiting for ipset (5 seconds)
ipset               | * ipset: waiting for iptables (5 seconds)
iptables            | * iptables: waiting for ipset (5 seconds)
net.eth2            | * net.eth2: timed out waiting for ipset
net.eth2            | * ERROR: cannot start net.eth2 as ipset would not start
iptables            | * iptables: timed out waiting for ipset
iptables            | * ERROR: cannot start iptables as ipset would not start
ipset               | * ipset: timed out waiting for iptables
ipset               | * Loading ipset state ...                                                           [ ok ]

box:~$ /etc/init.d/net.eth2 start
iptables            | * Loading iptables state and starting firewall ...                                  [ ok ]
net.eth2            | * Bringing up interface eth2
net.eth2            | *   Running preup ...
net.eth2            | *   dhcp ...
net.eth2            | *     Running dhclient ...                                                          [ ok ]
net.eth2            | *     received address 10.255.0.188/21                                             [ ok ]
net.eth2            | *   192.168.100.2/24 ...                                                            [ ok ]
net.eth2            | *   Running postup ...
net.eth2            | *     Adding rules
net.eth2            | *     Generating dynamic rules
net.eth2            | *       add from all fwmark 0x1 pri 20 table 20 ...                                 [ ok ]
net.eth2            | *       add from 10.255.0.188/21 pri 400 table 20 ...                              [ ok ]
net.eth2            | *       add from all to 10.255.0.188/21 pri 450 table 20 ...                       [ ok ]
net.eth2            | *       add from all pri 33400 table 20 ...                                         [ ok ]
net.eth2            | *     adding SNAT iptables rule ...
net.eth2            | *     I will now add default route for dev eth2 table cm0 ...                       [ ok ]
net.eth2            | *     Flushing route cache for eth2 ...

####
The only change to /etc/conf.d/iptables is adding rc_need="ipset" on the 2nd line. There is no return reference to iptables in ipset at all. In /etc/conf.d/net, there is rc_need_eth2="iptables"

Expected behavior:
Upon /etc/init.d/net.eth2 start iptables launches its ipset, ipset launches without referencing/attempting to launch iptables.
Comment 1 Allen Parker 2011-09-18 13:56:47 UTC
Created attachment 286893 [details]
ipset-save sample/test

sample ipset restore, use with something like 
iptables -A OUTPUT -m set --match-set test-host dst -j LOG
Comment 2 Peter Volkov (RETIRED) gentoo-dev 2011-09-20 04:18:58 UTC
Hm this bug has nothing to do with ipset. I even had not commited ipset initscript to the tree.

Allen, what openrc version do you use? Personally I'm unable to reproduce this problem with init script provided here.
Comment 3 Allen Parker 2011-09-20 13:06:03 UTC
(In reply to comment #2)
> Hm this bug has nothing to do with ipset. I even had not commited ipset
> initscript to the tree.
> 
> Allen, what openrc version do you use? Personally I'm unable to reproduce this
> problem with init script provided here.

/me references the summary and what was previously written.

short version: YES, i'm aware that this has nothing to do with ipset, complain to whoever added you. openrc version AGAIN is in the summary, or if you're lazy, it's 0.9.3-r1 (the latest available). With no reference from the provided ipset initscript to iptables, if rc_parallel=YES iptables correctly (via rc_need="ipset" in /etc/conf.d/iptables) launches ipset (modified iptables initscript), but then ipset, WITHOUT being told to do anything with iptables then attempts to launch iptables which is already trying to launch, thus becoming a loop.
Comment 4 Sergey Popov gentoo-dev Security 2013-03-16 20:39:35 UTC
Try with initscript, included in tree for ipset now(actually - included long time ago). If it still happens with it - feel free to reopen