Merge branch '4.5.8'

Conflicts:
	Shorewall-core/lib.cli

Shorewall-core/lib.cli

@@ -496,6 +496,26 @@ show_routing() {
     fi
 }
 
+determine_ipset_version() {
+    local setname
+
+    if [ $IPSET = ipset ]; then
+	IPSET=$(mywhich ipset)
+	[ -n "$IPSET" ] || fatal_error "The ipset utility cannot be located"
+    fi
+
+    setname=fooX$$
+
+    qt ipset -X $setname # Just in case something went wrong the last time
+
+    if qt ipset -N $setname hash:ip family inet; then
+	qt ipset -X $setname
+	IPSETN="$IPSET"
+    else
+	IPSETN="$IPSET -n"
+    fi
+}
+
 #
 # 'list dynamic' command executor
 #
@@ -503,7 +523,7 @@ find_sets() {
     local junk
     local setname
 
-    $IPSET -L | grep "^Name: ${1}_" | while read junk setname; do echo $setname; done
+    $IPSETN -L | grep "^Name: ${1}_" | while read junk setname; do echo $setname; done
 }
 
 list_zone() {
@@ -511,21 +531,19 @@ list_zone() {
     local sets
     local setname
 
-    if [ $IPSET = ipset ]; then
+    determine_ipset_version
-	[ -n "$(mywhich ipset)" ] || fatal_error "The ipset utility cannot be located"
-    fi
 
     if [ $g_family -eq 4 ]; then
-	sets=$($IPSET -L | grep '^$1_');
+	sets=$($IPSETN -L | grep "^$1_");
      else
-	sets=$($IPSET-L | grep "^6_$1_")
+	sets=$($IPSETN -L | grep "^6_$1_")
     fi
 
     [ -n "$sets" ] || sets=$(find_sets $1)
 
     for setname in $sets; do
 	echo "${setname#${1}_}:"
-	$IPSET -L $setname | awk 'BEGIN        {prnt=0;}; \
+	$IPSETN -L $setname | awk 'BEGIN        {prnt=0;}; \
                                    /^Members:/  {prnt=1; next; }; \
                                    /^Bindings:/ {prnt=0; }; \
                                                 { if (prnt == 1) print "   ", $1; };'
@@ -1588,18 +1606,12 @@ add_command() {
 	exit 2
     fi
 
-    case "$IPSET" in
+    determine_ipset_version
-	*/*)
-	    ;;
-	*)
-	    [ -n "$(mywhich $IPSET)" ] || fatal_error "The $IPSET utility cannot be located"
-	    ;;
-    esac
 
     case $1 in
 	*:*)
 	    while [ $# -gt 1 ]; do
-		if $g_family -eq 4; then
+		if [ $g_family -eq 4 ]; then
 		    interface=${1%%:*}
 		    host=${1#*:}
 		else
@@ -1648,7 +1660,7 @@ add_command() {
 		ipset=6_${zone}_${interface};
 	    fi
 
-	    if ! qt $IPSET -L $ipset -n; then
+	    if ! qt $IPSET -L $ipset; then
 		fatal_error "Zone $zone, interface $interface does not have a dynamic host list"
 	    fi
 
@@ -1661,7 +1673,7 @@ add_command() {
 	    fi
 	done
     else
-	qt $IPSET -L $ipset -n || fatal_error "Zone $ipset is not dynamic"
+	qt $IPSET -L $ipset || fatal_error "Zone $ipset is not dynamic"
 
 	for host in $hostlist; do
 	    if $IPSET -A $ipset $host; then
@@ -1683,18 +1695,12 @@ delete_command() {
 	exit 2;
     fi
 
-    case "$IPSET" in
+    determine_ipset_version
-	*/*)
-	    ;;
-	*)
-	    [ -n "$(mywhich $IPSET)" ] || fatal_error "The $IPSET utility cannot be located"
-	    ;;
-    esac
 
     case $1 in
 	*:*)
 	    while [ $# -gt 1 ]; do
-		if $g_family -eq 4; then
+		if [ $g_family -eq 4 ]; then
 		    interface=${1%%:*}
 		    host=${1#*:}
 		else
@@ -1750,7 +1756,7 @@ delete_command() {
 	    host=${host#*:}
 
 	    if $IPSET -D $ipset $host; then
-		echo "Host $hostent deleted from zone $zone"
+		echo "Host $host deleted from zone $zone"
 	    else
 		echo "   WARNING: Unable to delete host $hostent to zone $zone" >&2
 	    fi
@@ -2944,7 +2950,27 @@ get_config() {
 	exit 2
     fi
 
-    IPSET=ipset
+    if [ -n "$IPSET" ]; then
+	case "$IPSET" in
+	    */*)
+		if [ ! -x "$IPSET" ] ; then
+		    echo "   ERROR: The program specified in IPSET ($IPSET) does not exist or is not executable" >&2
+		    exit 2
+		fi
+		;;
+	    *)
+		prog="$(mywhich $IPSET 2> /dev/null)"
+		if [ -z "$prog" ] ; then
+		    echo "   ERROR: Can't find $IPSET executable" >&2
+		    exit 2
+		fi
+		IPSET=$prog
+		;;
+	esac
+    else
+	IPSET='ipset'
+    fi
+
     TC=tc
 
 }