mirror of
https://gitlab.com/shorewall/code.git
synced 2024-11-09 01:04:06 +01:00
Update the Shorewall-perl document regarding SAVE_IPSETS.
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
1175fa23b8
commit
0c92e05509
@ -361,23 +361,27 @@ insert_rule $filter_table->{OUTPUT}, 1, "-p udp --sport 1701 -j ACCEPT";
|
||||
used in a Shorewall configuration file, the name must be preceded by
|
||||
a plus sign (+) as with the shell-based compiler.</para>
|
||||
|
||||
<para>Shorewall is now out of the ipset load/reload business with
|
||||
the exception of ipsets used for dynamic zones. With scripts
|
||||
generated by the Perl-based Compiler, the Netfilter rule set is
|
||||
never cleared. That means that there is no opportunity for Shorewall
|
||||
to load/reload your ipsets since that cannot be done while there are
|
||||
any current rules using ipsets.</para>
|
||||
<para>From Shorewall-perl 4.0.0 - Shorewall 4.4.5, Shorewall was out
|
||||
of the ipset load/reload business with the exception of ipsets used
|
||||
for dynamic zones:</para>
|
||||
|
||||
<para>So:</para>
|
||||
<blockquote>
|
||||
<para>With scripts generated by the Perl-based Compiler, the
|
||||
Netfilter rule set is never cleared. That means that there is no
|
||||
opportunity for Shorewall to load/reload your ipsets since that
|
||||
cannot be done while there are any current rules using
|
||||
ipsets.</para>
|
||||
|
||||
<orderedlist numeration="upperroman">
|
||||
<listitem>
|
||||
<para>Your ipsets must be loaded before Shorewall starts. You
|
||||
are free to try to do that with the following code in
|
||||
<filename>/etc/shorewall/init (it works for me; your mileage may
|
||||
vary)</filename>:</para>
|
||||
<para>So:</para>
|
||||
|
||||
<programlisting>if [ "$COMMAND" = start ]; then
|
||||
<orderedlist numeration="upperroman">
|
||||
<listitem>
|
||||
<para>Your ipsets must be loaded before Shorewall starts. You
|
||||
are free to try to do that with the following code in
|
||||
<filename>/etc/shorewall/init (it works for me; your mileage
|
||||
may vary)</filename>:</para>
|
||||
|
||||
<programlisting>if [ "$COMMAND" = start ]; then
|
||||
ipset -U :all: :all:
|
||||
ipset -U :all: :default:
|
||||
ipset -F
|
||||
@ -385,37 +389,43 @@ insert_rule $filter_table->{OUTPUT}, 1, "-p udp --sport 1701 -j ACCEPT";
|
||||
ipset -R < /etc/shorewall/ipsets
|
||||
fi</programlisting>
|
||||
|
||||
<para>The file <filename>/etc/shorewall/ipsets</filename> will
|
||||
normally be produced using the <command>ipset -S</command>
|
||||
command. I have this in my<filename>
|
||||
/etc/shorewall/stop</filename> file:</para>
|
||||
<para>The file <filename>/etc/shorewall/ipsets</filename> will
|
||||
normally be produced using the <command>ipset -S</command>
|
||||
command. I have this in my<filename>
|
||||
/etc/shorewall/stop</filename> file:</para>
|
||||
|
||||
<programlisting>if ipset -S > /etc/shorewall/ipsets.tmp; then
|
||||
<programlisting>if ipset -S > /etc/shorewall/ipsets.tmp; then
|
||||
mv -f /etc/shorewall/ipsets /etc/shorewall/ipsets.bak
|
||||
mv /etc/shorewall/ipsets.tmp /etc/shorewall/ipsets
|
||||
fi</programlisting>
|
||||
|
||||
<para>The above extension scripts will work most of the time but
|
||||
will fail in a <command>shorewall stop</command> -
|
||||
<command>shorewall start</command> sequence if you use ipsets in
|
||||
your routestopped file (see below).</para>
|
||||
</listitem>
|
||||
<para>The above extension scripts will work most of the time
|
||||
but will fail in a <command>shorewall stop</command> -
|
||||
<command>shorewall start</command> sequence if you use ipsets
|
||||
in your routestopped file (see below).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>Your ipsets may not be reloaded until Shorewall is stopped
|
||||
or cleared.</para>
|
||||
</listitem>
|
||||
<listitem>
|
||||
<para>Your ipsets may not be reloaded until Shorewall is
|
||||
stopped or cleared.</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
<para>If you specify ipsets in your routestopped file then
|
||||
Shorewall must be cleared in order to reload your ipsets.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
<listitem>
|
||||
<para>If you specify ipsets in your routestopped file then
|
||||
Shorewall must be cleared in order to reload your
|
||||
ipsets.</para>
|
||||
</listitem>
|
||||
</orderedlist>
|
||||
|
||||
<para>As a consequence, scripts generated by the Perl-based compiler
|
||||
will ignore <filename>/etc/shorewall/ipsets</filename> and will
|
||||
issue a warning if you set SAVE_IPSETS=Yes in
|
||||
<filename>shorewall.conf</filename>.</para>
|
||||
<para>As a consequence, scripts generated by the Perl-based
|
||||
compiler will ignore <filename>/etc/shorewall/ipsets</filename>
|
||||
and will issue a warning if you set SAVE_IPSETS=Yes in
|
||||
<filename>shorewall.conf</filename>.</para>
|
||||
</blockquote>
|
||||
|
||||
<para>Beginning with Shorewall 4.4.6 (and 4.5.3), SAVE_IPSETS=Yes is
|
||||
once again supported. See <ulink
|
||||
url="manpages/shorewall.conf.html">shorewall.conf</ulink>(5).</para>
|
||||
</listitem>
|
||||
|
||||
<listitem>
|
||||
|
Loading…
Reference in New Issue
Block a user