From 450a16f730bc4f7c54c6cb370bffe485d7563cf3 Mon Sep 17 00:00:00 2001
From: Glop <13887307-gl0p@users.noreply.gitlab.com>
Date: Fri, 3 Mar 2023 16:09:23 +0100
Subject: [PATCH] Destroy the temporary IP set in the cleanup function
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

In the IP set capability tests, there is a race condition which
might prevent the removal of the temporary IP set immediately
after flushing the chain that uses this IP set: even though the
rules which used the IP set were deleted, the IP set might still
appear to be “in use by a kernel component.”

In case this happens, we add an extra call to `ipset -X` in the
`cleanup_iptables()` function, just to be sure that the temporary
IP set is indeed destroyed when the compiler exits.
---
 Shorewall/Perl/Shorewall/Config.pm | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index ae3efcf4f..5d45a90c8 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -1507,7 +1507,7 @@ sub qt1( $ ) {
 }
 
 #
-# Delete the test chains
+# Delete the test chains and IP sets
 #
 sub cleanup_iptables() {
     qt1( "$iptables $iptablesw -F $sillyname" );
@@ -1530,6 +1530,12 @@ sub cleanup_iptables() {
 	qt1( "$iptables $iptablesw -t raw -X $sillyname" );
     }
 
+    my $ipset  = $config{IPSET} || 'ipset';
+    $ipset = which( $ipset ) unless $ipset =~ '/';
+    if ( $ipset && -x $ipset ) {
+	qt( "$ipset -X $sillyname" );
+    }
+
     $sillyname = $sillyname1 = '';
 }
 
@@ -1574,7 +1580,7 @@ sub cleanup() {
     unlink ( $perlscriptname ), $perlscriptname = undef if $perlscriptname;
     unlink ( @tempfiles ), @tempfiles = ()              if @tempfiles;
     #
-    # Delete temporary chains
+    # Delete temporary chains and IP sets
     #
     cleanup_iptables if $sillyname;
 }