diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index b0a459c1f..cec13ebb2 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -385,6 +385,8 @@ my %builtin_target = ( ACCEPT => 1, ULOG => 1, ); +my %ipset_exists; + # # Rather than initializing globals in an INIT block or during declaration, # we initialize them in a function. This is done for two reasons: @@ -437,6 +439,8 @@ sub initialize( $$$ ) { $warningcount = 0; $hashlimitset = 0; $ipset_rules = 0 if $hard; + + %ipset_exists = (); # # The chain table is initialized via a call to initialize_chain_table() after the configuration and capabilities have been determined. # @@ -2906,7 +2910,11 @@ sub get_set_flags( $$ ) { $setname =~ s/^\+//; unless ( $export || $> != 0 ) { - warning_message "Ipset $setname does not exist" unless qt "ipset -L $setname"; + unless ( $ipset_exists{$setname} ) { + warning_message "Ipset $setname does not exist" unless qt "ipset -L $setname"; + } + + $ipset_exists{$setname} = 1; # Suppress subsequent checks/warnings } fatal_error "Invalid ipset name ($setname)" unless $setname =~ /^[a-zA-Z]\w*/; @@ -4532,34 +4540,38 @@ sub load_ipsets() { ' IPSET="$(mywhich $IPSET)"', ' [ -n "$IPSET" ] || startup_error "The ipset utility cannot be located"' , ' ;;', - 'esac', - '', - 'if [ "$COMMAND" = start ]; then' , - ' if [ -f ${VARDIR}/ipsets.save ]; then' , - ' $IPSET -F' , - ' $IPSET -X' , - ' $IPSET -R < ${VARDIR}/ipsets.save' , - ' fi' ); + 'esac' , + '' , + 'if [ "$COMMAND" = start ]; then' ); + + if ( $config{SAVE_IPSETS} ) { + emit ( ' if [ -f ${VARDIR}/ipsets.save ]; then' , + ' $IPSET -F' , + ' $IPSET -X' , + ' $IPSET -R < ${VARDIR}/ipsets.save' , + ' fi' ); + } if ( @ipsets ) { emit ( '' ); - ensure_ipset( $_ ) for @ipsets; - emit ( '' ); } - emit ( 'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' , - ' if [ -f $(my_pathname)-ipsets ]; then' , - ' if chain_exists shorewall; then' , - ' startup_error "Cannot restore $(my_pathname)-ipsets with Shorewall running"' , - ' else' , - ' $IPSET -F' , - ' $IPSET -X' , - ' $IPSET -R < $(my_pathname)-ipsets' , - ' fi' , - ' fi' , - ); + emit ( 'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' ); + + if ( $config{SAVE_IPSETS} ) { + emit( ' if [ -f $(my_pathname)-ipsets ]; then' , + ' if chain_exists shorewall; then' , + ' startup_error "Cannot restore $(my_pathname)-ipsets with Shorewall running"' , + ' else' , + ' $IPSET -F' , + ' $IPSET -X' , + ' $IPSET -R < $(my_pathname)-ipsets' , + ' fi' , + ' fi' , + ); + } if ( @ipsets ) { emit ''; diff --git a/Shorewall6/lib.cli b/Shorewall6/lib.cli index cb41fef67..423287140 100644 --- a/Shorewall6/lib.cli +++ b/Shorewall6/lib.cli @@ -1291,7 +1291,7 @@ add_command() { zone=$1 for host in $hostlist; do - interface=${host%:*} + interface=${host%%:*} ipset=${zone}_${interface}; @@ -1315,7 +1315,7 @@ add_command() { # delete_command() { local interface host hostent hostlist zone ipset - if ! shorewall_is_started ; then + if ! shorewall6_is_started ; then echo "Shorewall6 Not Started" >&2 exit 2; fi @@ -1350,7 +1350,7 @@ delete_command() { zone=$1 for hostent in $hostlist; do - interface=${hostent%:*} + interface=${hostent%%:*} ipset=${zone}_${interface}; @@ -1361,7 +1361,7 @@ delete_command() { host=${hostent#*:} if $IPSET -D $ipset $host; then - echo "Host $hostend deleted from zone $zone" + echo "Host $hostent deleted from zone $zone" else echo " WARNING: Unable to delete host $hostent to zone $zone" >&2 fi