diff --git a/Shorewall-core/lib.cli b/Shorewall-core/lib.cli index bd5d4bbef..3309bc971 100644 --- a/Shorewall-core/lib.cli +++ b/Shorewall-core/lib.cli @@ -496,6 +496,26 @@ show_routing() { fi } +determine_ipset_version() { + local setname + + if [ $IPSET = ipset ]; then + IPSET=$(mywhich ipset) + [ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located" + fi + + setname=fooX$$ + + qt ipset -X $setname # Just in case something went wrong the last time + + if qt ipset -N $setname hash:ip family inet; then + qt ipset -X $setname + IPSETN="$IPSET" + else + IPSETN="$IPSET -n" + fi +} + # # 'list dynamic' command executor # @@ -503,7 +523,7 @@ find_sets() { local junk local setname - $IPSET -L | grep "^Name: ${1}_" | while read junk setname; do echo $setname; done + $IPSETN -L | grep "^Name: ${1}_" | while read junk setname; do echo $setname; done } list_zone() { @@ -511,24 +531,22 @@ list_zone() { local sets local setname - if [ $IPSET = ipset ]; then - [ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located" - fi + determine_ipset_version if [ $g_family -eq 4 ]; then - sets=$($IPSET -L | grep '^$1_'); + sets=$($IPSETN -L | grep "^$1_"); else - sets=$($IPSET-L | grep "^6_$1_") + sets=$($IPSETN -L | grep "^6_$1_") fi [ -n "$sets" ] || sets=$(find_sets $1) for setname in $sets; do echo "${setname#${1}_}:" - $IPSET -L $setname | awk 'BEGIN {prnt=0;}; \ - /^Members:/ {prnt=1; next; }; \ - /^Bindings:/ {prnt=0; }; \ - { if (prnt == 1) print " ", $1; };' + $IPSETN -L $setname | awk 'BEGIN {prnt=0;}; \ + /^Members:/ {prnt=1; next; }; \ + /^Bindings:/ {prnt=0; }; \ + { if (prnt == 1) print " ", $1; };' done } @@ -1588,18 +1606,12 @@ add_command() { exit 2 fi - case "$IPSET" in - */*) - ;; - *) - [ -n "$(mywhich $IPSET)" ] || fatal_error "The $IPSET utility cannot be located" - ;; - esac + determine_ipset_version case $1 in *:*) while [ $# -gt 1 ]; do - if $g_family -eq 4; then + if [ $g_family -eq 4 ]; then interface=${1%%:*} host=${1#*:} else @@ -1648,7 +1660,7 @@ add_command() { ipset=6_${zone}_${interface}; fi - if ! qt $IPSET -L $ipset -n; then + if ! qt $IPSET -L $ipset; then fatal_error "Zone $zone, interface $interface does not have a dynamic host list" fi @@ -1661,7 +1673,7 @@ add_command() { fi done else - qt $IPSET -L $ipset -n || fatal_error "Zone $ipset is not dynamic" + qt $IPSET -L $ipset || fatal_error "Zone $ipset is not dynamic" for host in $hostlist; do if $IPSET -A $ipset $host; then @@ -1683,18 +1695,12 @@ delete_command() { exit 2; fi - case "$IPSET" in - */*) - ;; - *) - [ -n "$(mywhich $IPSET)" ] || fatal_error "The $IPSET utility cannot be located" - ;; - esac + determine_ipset_version case $1 in *:*) while [ $# -gt 1 ]; do - if $g_family -eq 4; then + if [ $g_family -eq 4 ]; then interface=${1%%:*} host=${1#*:} else @@ -1750,7 +1756,7 @@ delete_command() { host=${host#*:} if $IPSET -D $ipset $host; then - echo "Host $hostent deleted from zone $zone" + echo "Host $host deleted from zone $zone" else echo " WARNING: Unable to delete host $hostent to zone $zone" >&2 fi @@ -2944,7 +2950,27 @@ get_config() { exit 2 fi - IPSET=ipset + if [ -n "$IPSET" ]; then + case "$IPSET" in + */*) + if [ ! -x "$IPSET" ] ; then + echo " ERROR: The program specified in IPSET ($IPSET) does not exist or is not executable" >&2 + exit 2 + fi + ;; + *) + prog="$(mywhich $IPSET 2> /dev/null)" + if [ -z "$prog" ] ; then + echo " ERROR: Can't find $IPSET executable" >&2 + exit 2 + fi + IPSET=$prog + ;; + esac + else + IPSET='ipset' + fi + TC=tc }