Make save/restore work with SAVE_IPSETS=Yes

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-11-09 01:04:06 +01:00 · 2010-01-04 12:36:31 -08:00 · 2010-01-04 12:36:31 -08:00 · 4e0f9b2ef3
commit 4e0f9b2ef3
parent e3c75dcfcc
2 changed files with 51 additions and 1 deletions
--- a/Shorewall/Perl/Shorewall/Compiler.pm
+++ b/Shorewall/Perl/Shorewall/Compiler.pm
@ -375,9 +375,17 @@ sub generate_script_3($) {
 		   '        $IPSET -X' ,
 		   '        $IPSET -R < ${VARDIR}/ipsets.save' ,
 		   '    fi' ,
-		   '' );
+		   'elif [ "$COMMAND" = restart ]; then' ,
+		   '    if [ -f $(my_pathname)-ipsets ] && ! chain_exists shorewall; then' ,
+		   '        $IPSET -F' ,
+		   '        $IPSET -X' ,
+		   '        $IPSET -R < $(my_pathname)-ipsets' ,
+		   '    fi' ,
+		 );

 	    if ( @ipsets ) {
+		emit '';
+
 		emit ( "    qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;

 		emit ( '' ,
--- a/Shorewall/lib.cli
+++ b/Shorewall/lib.cli
@ -267,6 +267,7 @@ save_config() {

    local result
    result=1
+    local hack
    
    iptables_save=${IPTABLES}-save

@ -293,6 +294,47 @@ save_config() {
 				mv -f ${VARDIR}/restore-$$ ${RESTOREPATH}-iptables
 				chmod +x $RESTOREPATH
 				echo "   Currently-running Configuration Saved to $RESTOREPATH"
+    
+				case ${SAVE_IPSETS:=No} in 
+				    [Yy]es)
+					case ${IPSET:=ipset} in
+					    */*)
+						if [ ! -x "$IPSET" ]; then
+						    error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
+						    IPSET=
+						fi
+						;;
+					    *)
+						IPSET="$(mywhich $IPSET)"
+						[ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
+						;;
+					esac
+					
+					if [ -n "$IPSET" ]; then
+					    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
+                                                #
+                                                # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
+                                                #
+		                                hack='| grep -v /31'
+					    else
+						hack=
+					    fi
+
+					    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
+                                                #
+                                                # Don't save an 'empty' file
+                                                #
+						grep -q '^-N' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${RESTOREPATH}-ipsets && echo "   Ipsets Saved to ${RESTOREPATH}-ipsets"
+					    fi
+					fi
+					;;
+				    [Nn]o)
+					;;
+				    *)
+					error_message "WARNING: Invalid value ($SAVE_IPSETS) for SAVE_IPSETS"
+					;;
+				esac
+
 				run_user_exit save
 			    else
 			        rm -f ${VARDIR}/restore-$$