[Bug 1918936] Please test proposed package

[Brian Murray]

Hello Junien, or anyone else affected,

Accepted ipset into focal-proposed. The package will build now and be
available at
https://launchpad.net/ubuntu/+source/ipset/7.5-1ubuntu0.20.04.1 in a few
hours, and then in the -proposed repository.

Please help us by testing this new package.  See
https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how
to enable and use -proposed.  Your feedback will aid us getting this
update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug,
mentioning the version of the package you tested, what testing has been
performed on the package and change the tag from verification-needed-
focal to verification-done-focal. If it does not fix the bug for you,
please add a comment stating that, and change the tag to verification-
failed-focal. In either case, without details of your testing we will
not be able to proceed.

Further information regarding the verification process can be found at
https://wiki.ubuntu.com/QATeam/PerformingSRUVerification .  Thank you in
advance for helping!

N.B. The updated package will be released to -updates after the bug(s)
fixed by this package have been verified and the package has been in
-proposed for a minimum of 7 days.

-- 
You received this bug notification because you are a member of Ubuntu
OpenStack, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/1918936

Title:
  ipset does NSS lookups even if ports are numeric

Status in ipset package in Ubuntu:
  Fix Released
Status in ipset source package in Bionic:
  Invalid
Status in ipset source package in Focal:
  Fix Committed
Status in ipset source package in Groovy:
  Won't Fix
Status in ipset source package in Hirsute:
  Fix Committed
Status in ipset source package in Impish:
  Fix Committed
Status in ipset source package in Jammy:
  Fix Released

Bug description:
  [Impact]
  A change included ipset 6.37 as a performance regression as all ip set rule incur a getprotocolbyname lookup, irrespective of whether the name of the protocol or the actual port number is specified in the set configuration.  For large sets this can double the speed of applying changes to ipset tables.

  [Test Plan]
  # Create a suitable large set of data to restore to the ipset
  for x in `seq 1 7`; do for y in `seq 1 254`; do for z in `seq 1 254`; do echo "add test 10.1.1.0/21,80,150.$x.$y.$z/32" >> whitelist-ipv4 ;done; done; done

  # Destroy,create, restore
  sudo ipset destroy test
  sudo ipset create test hash:net,port,net hashsize 4096 maxelem 786432
  time sudo ipset restore < ./whitelist-ipv4

  Large reduction in time taken to restore the ipset (32s-> 5s on an 8
  core machine).

  [Where problems could occur]
  The original patch to resolve this issue did introduce another bug which as subsequently been fixed as well (and is included in the updated packages).

  If the fix introduces issues its likely that iptable rules making use
  of ipset groups will start to fail in some way - probably rejecting
  traffic or suchlike.

  [Other Info]

  [Original Bug Report]
  Hi,

  Do you think we could get
  https://git.netfilter.org/ipset/commit/?id=dbeb20a667e82e4efb8b26b24a0ec641dab5c857
  SRUed to 20.04 ?

  This divides our ipset loading time by ~2 (from ~60s to ~25s).

  Thanks

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/ipset/+bug/1918936/+subscriptions