Revert "Only save ipsets of the proper family"

This reverts commit b053cab630.
This commit is contained in:
Tom Eastep 2014-09-28 13:32:32 -07:00
parent b053cab630
commit 3e2c903a41
3 changed files with 20 additions and 38 deletions

View File

@ -8006,9 +8006,8 @@ sub create_save_ipsets() {
'save_ipsets() {' ); 'save_ipsets() {' );
if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) { if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
emit( ' local file' ); emit( ' local file' ,
emit( ' local set' ) if have_capability 'IPSET_V5'; '',
emit( '',
' file=$1', ' file=$1',
'' ''
); );
@ -8018,19 +8017,11 @@ sub create_save_ipsets() {
} }
emit( '' , emit( '' ,
' rm -f $file' , ' rm -f ${VARDIR}/ipsets.save' ,
'' ); '' );
if ( $config{SAVE_IPSETS} ) { if ( $config{SAVE_IPSETS} ) {
if ( $family == F_IPV6 || $config{SAVE_IPSETS} eq 'ipv4' ) { if ( $family == F_IPV4 ) {
my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 ';
emit( 'touch $file' );
emit( "for set in $(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
" \$IPSET save $_ >> \$file" ,
"done" );
} else {
emit ( ' if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' , emit ( ' if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
' #', ' #',
' # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' , ' # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
@ -8043,8 +8034,11 @@ sub create_save_ipsets() {
' if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' , ' if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
" grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" , " grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" ,
' fi' ); ' fi' );
} else {
emit ( ' if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
" grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" ,
' fi' );
} }
} elsif ( @ipsets || $globals{SAVED_IPSETS} ) { } elsif ( @ipsets || $globals{SAVED_IPSETS} ) {
emit( ' rm -f ${VARDIR}/ipsets.tmp' , emit( ' rm -f ${VARDIR}/ipsets.tmp' ,
' touch ${VARDIR}/ipsets.tmp' , ' touch ${VARDIR}/ipsets.tmp' ,

View File

@ -2470,7 +2470,7 @@ INLINE - - - ; -j REJECT
<varlistentry> <varlistentry>
<term><emphasis role="bold">SAVE_IPSETS=</emphasis>{<emphasis <term><emphasis role="bold">SAVE_IPSETS=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">Yes</emphasis>|<emphasis
role="bold">No|ipv4|<replaceable>setlist</replaceable></emphasis>}</term> role="bold">No|<replaceable>setlist</replaceable></emphasis>}</term>
<listitem> <listitem>
<para>Re-enabled in Shorewall 4.4.6. If SAVE_IPSETS=Yes, then the <para>Re-enabled in Shorewall 4.4.6. If SAVE_IPSETS=Yes, then the
@ -2480,21 +2480,9 @@ INLINE - - - ; -j REJECT
<emphasis role="bold">shorewall start</emphasis> and <emphasis <emphasis role="bold">shorewall start</emphasis> and <emphasis
role="bold">shorewall restore</emphasis> commands.</para> role="bold">shorewall restore</emphasis> commands.</para>
<para>Beginning with Shorewall 4.6.4:</para> <para>Beginning with Shorewall 4.6.4, you can restrict the set of
ipsets saved by specifying a setlist (a comma-separated list of ipv4
<itemizedlist> ipset names).</para>
<listitem>
<para>When SAVE_IPSETS=ipv4, only ipv4 ipsets are saved if the
'Ipset V5' capability is supported by your system.</para>
</listitem>
<listitem>
<para>you can restrict the set of ipsets saved by specifying a
setlist (a comma-separated list of ipv4 ipset names).</para>
</listitem>
</itemizedlist>
<para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>

View File

@ -2128,15 +2128,15 @@ INLINE - - - ; -j REJECT
role="bold">No|<replaceable>setlist</replaceable></emphasis>}</term> role="bold">No|<replaceable>setlist</replaceable></emphasis>}</term>
<listitem> <listitem>
<para>Added in Shoreall 4.6.4. If SAVE_IPSETS=Yes, then the current <para>Re-enabled in Shorewall 4.4.6. If SAVE_IPSETS=Yes, then the
contents of your ipv6 ipsets will be saved by the <emphasis current contents of your ipsets will be saved by the <emphasis
role="bold">shorewall stop</emphasis> and <emphasis role="bold">shorewall stop</emphasis> and <emphasis
role="bold">shorewall save</emphasis> commands and restored by the role="bold">shorewall save</emphasis> commands and restored by the
<emphasis role="bold">shorewall start</emphasis> and <emphasis <emphasis role="bold">shorewall start</emphasis> and <emphasis
role="bold">shorewall restore</emphasis> commands.</para> role="bold">shorewall restore</emphasis> commands.</para>
<para>You can restrict the set of ipsets saved by specifying a <para>Beginning with Shorewall 4.6.4, you can restrict the set of
<replaceable>setlist</replaceable> (a comma-separated list of ipv6 ipsets saved by specifying a setlist (a comma-separated list of ipv6
ipset names).</para> ipset names).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>