Update the Shorewall-perl document regarding SAVE_IPSETS.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-01-04 14:45:27 -08:00
parent 1175fa23b8
commit 0c92e05509

View File

@ -361,23 +361,27 @@ insert_rule $filter_table-&gt;{OUTPUT}, 1, "-p udp --sport 1701 -j ACCEPT";
used in a Shorewall configuration file, the name must be preceded by
a plus sign (+) as with the shell-based compiler.</para>
<para>Shorewall is now out of the ipset load/reload business with
the exception of ipsets used for dynamic zones. With scripts
generated by the Perl-based Compiler, the Netfilter rule set is
never cleared. That means that there is no opportunity for Shorewall
to load/reload your ipsets since that cannot be done while there are
any current rules using ipsets.</para>
<para>From Shorewall-perl 4.0.0 - Shorewall 4.4.5, Shorewall was out
of the ipset load/reload business with the exception of ipsets used
for dynamic zones:</para>
<para>So:</para>
<blockquote>
<para>With scripts generated by the Perl-based Compiler, the
Netfilter rule set is never cleared. That means that there is no
opportunity for Shorewall to load/reload your ipsets since that
cannot be done while there are any current rules using
ipsets.</para>
<orderedlist numeration="upperroman">
<listitem>
<para>Your ipsets must be loaded before Shorewall starts. You
are free to try to do that with the following code in
<filename>/etc/shorewall/init (it works for me; your mileage may
vary)</filename>:</para>
<para>So:</para>
<programlisting>if [ "$COMMAND" = start ]; then
<orderedlist numeration="upperroman">
<listitem>
<para>Your ipsets must be loaded before Shorewall starts. You
are free to try to do that with the following code in
<filename>/etc/shorewall/init (it works for me; your mileage
may vary)</filename>:</para>
<programlisting>if [ "$COMMAND" = start ]; then
ipset -U :all: :all:
ipset -U :all: :default:
ipset -F
@ -385,37 +389,43 @@ insert_rule $filter_table-&gt;{OUTPUT}, 1, "-p udp --sport 1701 -j ACCEPT";
ipset -R &lt; /etc/shorewall/ipsets
fi</programlisting>
<para>The file <filename>/etc/shorewall/ipsets</filename> will
normally be produced using the <command>ipset -S</command>
command. I have this in my<filename>
/etc/shorewall/stop</filename> file:</para>
<para>The file <filename>/etc/shorewall/ipsets</filename> will
normally be produced using the <command>ipset -S</command>
command. I have this in my<filename>
/etc/shorewall/stop</filename> file:</para>
<programlisting>if ipset -S &gt; /etc/shorewall/ipsets.tmp; then
<programlisting>if ipset -S &gt; /etc/shorewall/ipsets.tmp; then
mv -f /etc/shorewall/ipsets /etc/shorewall/ipsets.bak
mv /etc/shorewall/ipsets.tmp /etc/shorewall/ipsets
fi</programlisting>
<para>The above extension scripts will work most of the time but
will fail in a <command>shorewall stop</command> -
<command>shorewall start</command> sequence if you use ipsets in
your routestopped file (see below).</para>
</listitem>
<para>The above extension scripts will work most of the time
but will fail in a <command>shorewall stop</command> -
<command>shorewall start</command> sequence if you use ipsets
in your routestopped file (see below).</para>
</listitem>
<listitem>
<para>Your ipsets may not be reloaded until Shorewall is stopped
or cleared.</para>
</listitem>
<listitem>
<para>Your ipsets may not be reloaded until Shorewall is
stopped or cleared.</para>
</listitem>
<listitem>
<para>If you specify ipsets in your routestopped file then
Shorewall must be cleared in order to reload your ipsets.</para>
</listitem>
</orderedlist>
<listitem>
<para>If you specify ipsets in your routestopped file then
Shorewall must be cleared in order to reload your
ipsets.</para>
</listitem>
</orderedlist>
<para>As a consequence, scripts generated by the Perl-based compiler
will ignore <filename>/etc/shorewall/ipsets</filename> and will
issue a warning if you set SAVE_IPSETS=Yes in
<filename>shorewall.conf</filename>.</para>
<para>As a consequence, scripts generated by the Perl-based
compiler will ignore <filename>/etc/shorewall/ipsets</filename>
and will issue a warning if you set SAVE_IPSETS=Yes in
<filename>shorewall.conf</filename>.</para>
</blockquote>
<para>Beginning with Shorewall 4.4.6 (and 4.5.3), SAVE_IPSETS=Yes is
once again supported. See <ulink
url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
</listitem>
<listitem>