Clean up V4/V5 ipset enforcement

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-11-22 23:53:30 +01:00 · 2016-04-14 09:00:38 -07:00 · 2016-04-14 09:00:38 -07:00 · 216bc715e8
commit 216bc715e8
parent 541ecb67b4
3 changed files with 34 additions and 14 deletions
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@ -8288,14 +8288,20 @@ sub create_save_ipsets() {
 	       '' );

 	if ( $family == F_IPV6 || $setting !~ /yes/i ) {
+	    #
+	    # Requires V5 or later
+	    #
 	    emit( '' ,
 		  "    for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
-		  '        $IPSET -F $set' ,
-		  '        $IPSET -X $set' ,
+		  '        $IPSET flush $set' ,
+		  '        $IPSET destroy $set' ,
 		  "    done" ,
 		  '',
 		);
 	} else {
+	    #
+	    # Restoring all ipsets (IPv4 and IPv6, if any)
+	    #
 	    emit ( '    if [ -f ${VARDIR}/ipsets.save ]; then' ,
 		   '        $IPSET -F' ,
 		   '        $IPSET -X' ,
@ -8322,6 +8328,9 @@ sub create_save_ipsets() {

 	if ( $config{SAVE_IPSETS} ) {
 	    if ( $family == F_IPV6 || $config{SAVE_IPSETS} eq 'ipv4' ) {
+		#
+		# Requires V5 or later
+		#
 		my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 ';

 		emit( '' ,
@ -8332,11 +8341,14 @@ sub create_save_ipsets() {

 		emit( '',
 		      "    for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
-		      "        \$IPSET -S \$set >> \$file" ,
+		      "        \$IPSET save \$set >> \$file" ,
 		      "    done" ,
 		      '',
 		    );
 	    } else {
+		#
+		# Saving all ipsets (IPv4 and IPv6, if any )
+		# 
 		emit ( 
 		       '',
 		       '    if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
@ -8347,9 +8359,12 @@ sub create_save_ipsets() {
 	    emit( "    return 0",
 		  "}\n" );
 	} elsif ( @ipsets || $globals{SAVED_IPSETS} ) {
+	    #
+	    # Requires V5 or later
+	    #
 	    my %ipsets;
 	    #
-	    # Remove duplicates
+	    # Requires V
 	    #
 	    $ipsets{$_} = 1 for ( @ipsets, @{$globals{SAVED_IPSETS}} );

@ -8365,8 +8380,8 @@ sub create_save_ipsets() {
 	    if ( @sets > 1 ) {
 		emit( '' ,
 		      "    for set in @sets; do" , 
-		      '        if qt $IPSET -L $set; then' ,
-		      '            $IPSET -S $set >> ${VARDIR}/ipsets.tmp' ,
+		      '        if qt $IPSET list $set; then' ,
+		      '            $IPSET save $set >> ${VARDIR}/ipsets.tmp' ,
 		      '        else' ,
 		      '            error_message "ipset $set not saved (not found)"' ,
 		      '        fi' ,
@ -8375,15 +8390,15 @@ sub create_save_ipsets() {
 		my $set = $sets[0];

 		emit( '' ,
-		      "    if qt \$IPSET -L $set; then" ,
-		      "        \$IPSET -S $set >> \${VARDIR}/ipsets.tmp" ,
+		      "    if qt \$IPSET list $set; then" ,
+		      "        \$IPSET save $set >> \${VARDIR}/ipsets.tmp" ,
 		      '    else' ,
 		      "        error_message 'ipset $set not saved (not found)'" ,
 		      '    fi' );
 	    }

 	    emit( '' ,
-		  "    grep -qE -- \"(-N|^create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file\n" ,
+		  "    grep -q -- \"^create \" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file\n" ,
 		  '' ,
 		  '    return 0',
 		  '' ,
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -346,7 +346,7 @@ our %capdesc = ( NAT_ENABLED     => 'NAT',
                                 => 'Ipset Match nomatch',
 		 IPSET_MATCH_COUNTERS
                                 => 'Ipset Match counters',
-		 IPSET_V5        => 'Version 5 ipsets',
+		 IPSET_V5        => 'Version 5 or later ipset',
 		 CONNMARK        => 'CONNMARK Target',
 		 XCONNMARK       => 'Extended CONNMARK Target',
 		 CONNMARK_MATCH  => 'Connmark Match',
@ -5863,16 +5863,21 @@ sub get_configuration( $$$$ ) {
    unsupported_yes_no         'BRIDGING';
    unsupported_yes_no_warning 'RFC1918_STRICT';

-    unless (default_yes_no 'SAVE_IPSETS', '', '*' ) {
    $val = $config{SAVE_IPSETS};
-	unless ( $val eq 'ipv4' ) {
+
+    unless (default_yes_no 'SAVE_IPSETS', '', '*' ) {
+	if ( $val eq 'ipv4' ) {
+	    fatal_error 'SAVE_IPSETS=ipv4 is invalid in shorewall6.conf' if $family == F_IPV6;
+	} else {
 	    my @sets = split_list( $val , 'ipset' );
 	    $globals{SAVED_IPSETS} = \@sets;
-	    require_capability 'IPSET_V5', 'A saved ipset list', 's';
 	    $config{SAVE_IPSETS} = '';
 	}
+
+	require_capability( 'IPSET_V5', "SAVE_IPSETS=$val", 's' ) if $config{SAVE_IPSETS};
    }

+
    default_yes_no 'SAVE_ARPTABLES'             , '';
    default_yes_no 'STARTUP_ENABLED'            , 'Yes';
    default_yes_no 'DELAYBLACKLISTLOAD'         , '';
--- a/Shorewall/Perl/Shorewall/Zones.pm
+++ b/Shorewall/Perl/Shorewall/Zones.pm
@ -1279,7 +1279,7 @@ sub process_interface( $$ ) {
 		    fatal_error q("nets=" may not be specified for a multi-zone interface) unless $zone;
 		    fatal_error "Duplicate $option option" if $netsref;
 		    if ( $value eq 'dynamic' ) {
-			require_capability( 'IPSET_MATCH', 'Dynamic nets', '');
+			require_capability( 'IPSET_V5', 'Dynamic nets', '');
 			$hostoptions{dynamic} = 1;
 			#
 			# Defer remaining processing until we have the final physical interface name