diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index d06a938a0..46e1368a6 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -375,7 +375,18 @@ savesets() { supported=$(run_it ${VARDIR}/firewall help | fgrep savesets ) - [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets + [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${g_restorepath}-ipsets +} + +# +# Proactive save of the current ipset contents +# +savesets1() { + local supported + + supported=$(run_it ${VARDIR}/firewall help | fgrep savesets ) + + [ -n "$supported" ] && run_it ${VARDIR}/firewall savesets ${VARDIR}/ipsets.save && progress_message3 "The ipsets have been saved to ${VARDIR}/ipsets.save" } # @@ -3823,6 +3834,7 @@ usage() # $1 = exit status echo " restore [ -n ] [ -p ] [ -C ] [ ]" echo " run [ ... ]" echo " save [ -C ] [ ]" + echo " savesets" echo " [ show | list | ls ] [ -b ] [ -x ] [ -t {filter|mangle|nat} ] [ {chain [ [ ... ]" echo " [ show | list | ls ] [ -f ] capabilities" echo " [ show | list | ls ] arptables" @@ -4220,6 +4232,12 @@ shorewall_cli() { shift noiptrace_command $@ ;; + savesets) + [ $# -eq 1 ] || usage 1 + get_config + [ -n "$g_debugging" ] && set -x + savesets1 + ;; *) if [ -z "$g_lite" ]; then compiler_command $@ diff --git a/Shorewall-lite/manpages/shorewall-lite.xml b/Shorewall-lite/manpages/shorewall-lite.xml index 058c2a8b3..a5ddf7165 100644 --- a/Shorewall-lite/manpages/shorewall-lite.xml +++ b/Shorewall-lite/manpages/shorewall-lite.xml @@ -374,6 +374,17 @@ filename + + shorewall-lite + + | + + -options + + + + shorewall-lite @@ -1002,6 +1013,20 @@ + + savesets + + + Added in shorewall 4.6.8. Performs the same action as the + stop command with respect to saving ipsets (see + the SAVE_IPSETS option in shorewall.conf (5)). + This command may be used to proactively save your ipset contents in + the event that a system failure occurs prior to issuing a + stop command. + + + show diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index fd5c0cc9a..7174d7578 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -8048,7 +8048,7 @@ sub create_save_ipsets() { if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) { emit( ' local file' , '', - ' file=$1' + ' file=${1:-${VARDIR}/save.ipsets}' ); if ( @ipsets ) { @@ -8074,7 +8074,9 @@ sub create_save_ipsets() { emit( '', " for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" , " \$IPSET save \$set >> \$file" , - " done" ); + " done" , + '', + ); } else { emit ( '' , ' if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' , @@ -8091,7 +8093,9 @@ sub create_save_ipsets() { ' fi' ); } - emit("}\n" ); + emit( " return 0", + '', + "}\n" ); } elsif ( @ipsets || $globals{SAVED_IPSETS} ) { emit( '' , ' rm -f ${VARDIR}/ipsets.tmp' , @@ -8113,10 +8117,13 @@ sub create_save_ipsets() { emit( '' , " grep -qE -- \"(-N|^create )\" \${VARDIR}/ipsets.tmp && cat \${VARDIR}/ipsets.tmp >> \$file\n" , '' , + ' return 0', + '' , "}\n" ); } } elsif ( $config{SAVE_IPSETS} ) { emit( ' error_message "WARNING: No ipsets were saved"', + ' return 1', "}\n" ); } else { emit( ' true', diff --git a/Shorewall/Perl/prog.footer b/Shorewall/Perl/prog.footer index 8d1d99cd1..39292ea9f 100644 --- a/Shorewall/Perl/prog.footer +++ b/Shorewall/Perl/prog.footer @@ -407,6 +407,7 @@ case "$COMMAND" in savesets) if [ $# -eq 2 ]; then save_ipsets $2 + status=$? else usage 2 fi diff --git a/Shorewall/lib.cli-std b/Shorewall/lib.cli-std index 2ada5e8d7..a5849e9d2 100644 --- a/Shorewall/lib.cli-std +++ b/Shorewall/lib.cli-std @@ -1691,6 +1691,7 @@ usage() # $1 = exit status echo " safe-restart [ -t ] [ ]" echo " safe-start [ -t ] [ ]" echo " save [ -C ] [ ]" + echo " savesets" echo " [ show | list | ls ] [ -x ] [ -t {filter|mangle|nat|raw|rawpost} ] [ {chain [ [ ... ]" echo " [ show | list | ls ] actions" echo " [ show | list | ls ] [ -x ] {bl|blacklists}" diff --git a/Shorewall/manpages/shorewall.xml b/Shorewall/manpages/shorewall.xml index 36e009317..c0465f435 100644 --- a/Shorewall/manpages/shorewall.xml +++ b/Shorewall/manpages/shorewall.xml @@ -554,6 +554,17 @@ filename + + shorewall + + | + + -options + + + + shorewall @@ -1658,6 +1669,20 @@ + + savesets + + + Added in shorewall 4.6.8. Performs the same action as the + stop command with respect to saving ipsets (see + the SAVE_IPSETS option in shorewall.conf (5)). + This command may be used to proactively save your ipset contents in + the event that a system failure occurs prior to issuing a + stop command. + + + show diff --git a/Shorewall6-lite/manpages/shorewall6-lite.xml b/Shorewall6-lite/manpages/shorewall6-lite.xml index e2d2c3229..bc8b50b1c 100644 --- a/Shorewall6-lite/manpages/shorewall6-lite.xml +++ b/Shorewall6-lite/manpages/shorewall6-lite.xml @@ -396,6 +396,17 @@ filename + + shorewall6-lite + + | + + -options + + + + shorewall6-lite @@ -1032,6 +1043,20 @@ + + savesets + + + Added in shorewall 4.6.8. Performs the same action as the + stop command with respect to saving ipsets (see + the SAVE_IPSETS option in shorewall6.conf (5)). + This command may be used to proactively save your ipset contents in + the event that a system failure occurs prior to issuing a + stop command. + + + show diff --git a/Shorewall6/manpages/shorewall6.xml b/Shorewall6/manpages/shorewall6.xml index 2fc76176f..84a983bf4 100644 --- a/Shorewall6/manpages/shorewall6.xml +++ b/Shorewall6/manpages/shorewall6.xml @@ -512,6 +512,17 @@ filename + + shorewall6 + + | + + -options + + + + shorewall6 @@ -1561,6 +1572,20 @@ + + savesets + + + Added in shorewall 4.6.8. Performs the same action as the + stop command with respect to saving ipsets (see + the SAVE_IPSETS option in shorewall6.conf (5)). + This command may be used to proactively save your ipset contents in + the event that a system failure occurs prior to issuing a + stop command. + + + show