From b053cab630bd563d1bb03aef0f32beea5e8df69d Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 28 Sep 2014 12:58:52 -0700 Subject: [PATCH] Only save ipsets of the proper family Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 30 +++++++++++++++---------- Shorewall/manpages/shorewall.conf.xml | 20 +++++++++++++---- Shorewall6/manpages/shorewall6.conf.xml | 8 +++---- 3 files changed, 38 insertions(+), 20 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index 9f2c6a422..5f89909be 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -8006,22 +8006,31 @@ sub create_save_ipsets() { 'save_ipsets() {' ); if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) { - emit( ' local file' , - '', - ' file=$1', - '' - ); + emit( ' local file' ); + emit( ' local set' ) if have_capability 'IPSET_V5'; + emit( '', + ' file=$1', + '' + ); if ( @ipsets ) { ensure_ipset( $_ ) for @ipsets; } emit( '' , - ' rm -f ${VARDIR}/ipsets.save' , + ' rm -f $file' , '' ); if ( $config{SAVE_IPSETS} ) { - if ( $family == F_IPV4 ) { + if ( $family == F_IPV6 || $config{SAVE_IPSETS} eq 'ipv4' ) { + my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 '; + + emit( 'touch $file' ); + + emit( "for set in $(\$IPSET save | grep '$select' | cut -d' ' -f2); do" , + " \$IPSET save $_ >> \$file" , + "done" ); + } else { emit ( ' if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' , ' #', ' # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' , @@ -8034,11 +8043,8 @@ sub create_save_ipsets() { ' if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' , " grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" , ' fi' ); - } else { - emit ( ' if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' , - " grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" , - ' fi' ); - } + } + } elsif ( @ipsets || $globals{SAVED_IPSETS} ) { emit( ' rm -f ${VARDIR}/ipsets.tmp' , ' touch ${VARDIR}/ipsets.tmp' , diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml index cbcc91b82..aee177a2b 100644 --- a/Shorewall/manpages/shorewall.conf.xml +++ b/Shorewall/manpages/shorewall.conf.xml @@ -2470,7 +2470,7 @@ INLINE - - - ; -j REJECT SAVE_IPSETS={Yes|No|setlist} + role="bold">No|ipv4|setlist} Re-enabled in Shorewall 4.4.6. If SAVE_IPSETS=Yes, then the @@ -2480,9 +2480,21 @@ INLINE - - - ; -j REJECT shorewall start and shorewall restore commands. - Beginning with Shorewall 4.6.4, you can restrict the set of - ipsets saved by specifying a setlist (a comma-separated list of ipv4 - ipset names). + Beginning with Shorewall 4.6.4: + + + + When SAVE_IPSETS=ipv4, only ipv4 ipsets are saved if the + 'Ipset V5' capability is supported by your system. + + + + you can restrict the set of ipsets saved by specifying a + setlist (a comma-separated list of ipv4 ipset names). + + + + diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml index be535f1e4..b4464afff 100644 --- a/Shorewall6/manpages/shorewall6.conf.xml +++ b/Shorewall6/manpages/shorewall6.conf.xml @@ -2128,15 +2128,15 @@ INLINE - - - ; -j REJECT role="bold">No|setlist} - Re-enabled in Shorewall 4.4.6. If SAVE_IPSETS=Yes, then the - current contents of your ipsets will be saved by the Added in Shoreall 4.6.4. If SAVE_IPSETS=Yes, then the current + contents of your ipv6 ipsets will be saved by the shorewall stop and shorewall save commands and restored by the shorewall start and shorewall restore commands. - Beginning with Shorewall 4.6.4, you can restrict the set of - ipsets saved by specifying a setlist (a comma-separated list of ipv6 + You can restrict the set of ipsets saved by specifying a + setlist (a comma-separated list of ipv6 ipset names).