extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2024-11-08 00:34:04 +01:00
Code Issues Packages Projects Releases Wiki Activity

Only save ipsets of the proper family

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2014-09-28 12:58:52 -07:00
parent 6f7d063921
commit b053cab630
3 changed files with 38 additions and 20 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

30
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -8006,22 +8006,31 @@ sub create_save_ipsets() {
'save_ipsets() {' ); 'save_ipsets() {' );
if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) { if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
emit( ' local file' , emit( ' local file' );
'', emit( ' local set' ) if have_capability 'IPSET_V5';
' file=$1', emit( '',
'' ' file=$1',
); ''
);
if ( @ipsets ) { if ( @ipsets ) {
ensure_ipset( $_ ) for @ipsets; ensure_ipset( $_ ) for @ipsets;
} }
emit( '' , emit( '' ,
' rm -f ${VARDIR}/ipsets.save' , ' rm -f $file' ,
'' ); '' );
if ( $config{SAVE_IPSETS} ) { if ( $config{SAVE_IPSETS} ) {
if ( $family == F_IPV4 ) { if ( $family == F_IPV6 || $config{SAVE_IPSETS} eq 'ipv4' ) {
my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 ';
emit( 'touch $file' );
emit( "for set in $(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
" \$IPSET save $_ >> \$file" ,
"done" );
} else {
emit ( ' if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' , emit ( ' if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
' #', ' #',
' # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' , ' # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
@ -8034,11 +8043,8 @@ sub create_save_ipsets() {
' if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' , ' if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
" grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" , " grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" ,
' fi' ); ' fi' );
} else { }
emit ( ' if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
" grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" ,
' fi' );
}
} elsif ( @ipsets || $globals{SAVED_IPSETS} ) { } elsif ( @ipsets || $globals{SAVED_IPSETS} ) {
emit( ' rm -f ${VARDIR}/ipsets.tmp' , emit( ' rm -f ${VARDIR}/ipsets.tmp' ,
' touch ${VARDIR}/ipsets.tmp' , ' touch ${VARDIR}/ipsets.tmp' ,

20
Shorewall/manpages/shorewall.conf.xml
View File

@ -2470,7 +2470,7 @@ INLINE - - - ; -j REJECT
<varlistentry> <varlistentry>
<term><emphasis role="bold">SAVE_IPSETS=</emphasis>{<emphasis <term><emphasis role="bold">SAVE_IPSETS=</emphasis>{<emphasis
role="bold">Yes</emphasis>|<emphasis role="bold">Yes</emphasis>|<emphasis
role="bold">No|<replaceable>setlist</replaceable></emphasis>}</term> role="bold">No|ipv4|<replaceable>setlist</replaceable></emphasis>}</term>
<listitem> <listitem>
<para>Re-enabled in Shorewall 4.4.6. If SAVE_IPSETS=Yes, then the <para>Re-enabled in Shorewall 4.4.6. If SAVE_IPSETS=Yes, then the
@ -2480,9 +2480,21 @@ INLINE - - - ; -j REJECT
<emphasis role="bold">shorewall start</emphasis> and <emphasis <emphasis role="bold">shorewall start</emphasis> and <emphasis
role="bold">shorewall restore</emphasis> commands.</para> role="bold">shorewall restore</emphasis> commands.</para>
<para>Beginning with Shorewall 4.6.4, you can restrict the set of <para>Beginning with Shorewall 4.6.4:</para>
ipsets saved by specifying a setlist (a comma-separated list of ipv4
ipset names).</para> <itemizedlist>
<listitem>
<para>When SAVE_IPSETS=ipv4, only ipv4 ipsets are saved if the
'Ipset V5' capability is supported by your system.</para>
</listitem>
<listitem>
<para>you can restrict the set of ipsets saved by specifying a
setlist (a comma-separated list of ipv4 ipset names).</para>
</listitem>
</itemizedlist>
<para> </para>
</listitem> </listitem>
</varlistentry> </varlistentry>

8
Shorewall6/manpages/shorewall6.conf.xml
View File

@ -2128,15 +2128,15 @@ INLINE - - - ; -j REJECT
role="bold">No|<replaceable>setlist</replaceable></emphasis>}</term> role="bold">No|<replaceable>setlist</replaceable></emphasis>}</term>
<listitem> <listitem>
<para>Re-enabled in Shorewall 4.4.6. If SAVE_IPSETS=Yes, then the <para>Added in Shoreall 4.6.4. If SAVE_IPSETS=Yes, then the current
current contents of your ipsets will be saved by the <emphasis contents of your ipv6 ipsets will be saved by the <emphasis
role="bold">shorewall stop</emphasis> and <emphasis role="bold">shorewall stop</emphasis> and <emphasis
role="bold">shorewall save</emphasis> commands and restored by the role="bold">shorewall save</emphasis> commands and restored by the
<emphasis role="bold">shorewall start</emphasis> and <emphasis <emphasis role="bold">shorewall start</emphasis> and <emphasis
role="bold">shorewall restore</emphasis> commands.</para> role="bold">shorewall restore</emphasis> commands.</para>
<para>Beginning with Shorewall 4.6.4, you can restrict the set of <para>You can restrict the set of ipsets saved by specifying a
ipsets saved by specifying a setlist (a comma-separated list of ipv6 <replaceable>setlist</replaceable> (a comma-separated list of ipv6
ipset names).</para> ipset names).</para>
</listitem> </listitem>
</varlistentry> </varlistentry>