extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-21 23:23:13 +01:00
Code Issues Packages Projects Releases Wiki Activity

Destroy the temporary IP set in the cleanup function

Browse Source 
In the IP set capability tests, there is a race condition which
might prevent the removal of the temporary IP set immediately
after flushing the chain that uses this IP set: even though the
rules which used the IP set were deleted, the IP set might still
appear to be “in use by a kernel component.”

In case this happens, we add an extra call to `ipset -X` in the
`cleanup_iptables()` function, just to be sure that the temporary
IP set is indeed destroyed when the compiler exits.
This commit is contained in:
Glop 2023-03-03 16:09:23 +01:00
parent aae5baedfd
commit 450a16f730
1 changed files with 8 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

10
Shorewall/Perl/Shorewall/Config.pm
View File

@ -1507,7 +1507,7 @@ sub qt1( $ ) {
}
#
# Delete the test chains
# Delete the test chains and IP sets
#
sub cleanup_iptables() {
qt1( "$iptables $iptablesw -F $sillyname" );
@ -1530,6 +1530,12 @@ sub cleanup_iptables() {
qt1( "$iptables $iptablesw -t raw -X $sillyname" );
}
my $ipset = $config{IPSET} || 'ipset';
$ipset = which( $ipset ) unless $ipset =~ '/';
if ( $ipset && -x $ipset ) {
qt( "$ipset -X $sillyname" );
}
$sillyname = $sillyname1 = '';
}
@ -1574,7 +1580,7 @@ sub cleanup() {
unlink ( $perlscriptname ), $perlscriptname = undef if $perlscriptname;
unlink ( @tempfiles ), @tempfiles = () if @tempfiles;
#
# Delete temporary chains
# Delete temporary chains and IP sets
#
cleanup_iptables if $sillyname;
}