Correct ipset detection on later kernels.

Signed-off-by: Tom Eastep <teastep@shorewall.net>
2024-11-07 16:24:01 +01:00 · 2014-07-19 08:55:02 -07:00 · 2014-07-19 08:55:02 -07:00 · b207f64a85
commit b207f64a85
parent 9f381209d5
1 changed files with 28 additions and 10 deletions
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@ -4109,7 +4109,7 @@ sub Old_IPSet_Match() {
 sub IPSet_Match() {
    my $ipset  = $config{IPSET} || 'ipset';
    my $result = 0;
-    my $fam    = $family == F_IPV4 ? 'inet' : 'inet6';
+    my $have_ipset;

    $ipset = which $ipset unless $ipset =~ '/';

@ -4118,18 +4118,36 @@ sub IPSet_Match() {
    if ( $ipset && -x $ipset ) {
 	qt( "$ipset -X $sillyname" );

-	if ( qt( "$ipset -N $sillyname iphash" ) || qt( "$ipset -N $sillyname hash:ip family $fam") ) {
-	    if ( qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
-		$capabilities{IPSET_MATCH_NOMATCH}  = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --return-nomatch -j ACCEPT" );
-		$capabilities{IPSET_MATCH_COUNTERS} = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --packets-lt 100 -j ACCEPT" );
-		qt1( "$iptables $iptablesw -F $sillyname" );
-		$result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 );
-	    } else {
-		$result = have_capability 'OLD_IPSET_MATCH';
+	if ( $family == F_IPV4 ) {
+	    if ( qt("$ipset -N $sillyname hash:ip family inet") ) {
+		$capabilities{IPSET_V5} = 1;
+		$have_ipset = 1;
+	    } elsif ( qt( "ipset -N $sillyname iphash" ) ) {
+		$have_ipset = 1;
 	    }

-	    qt( "$ipset -X $sillyname" );
+	    if ( $have_ipset ) {
+		if ( qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
+		    $capabilities{IPSET_MATCH_NOMATCH}  = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --return-nomatch -j ACCEPT" );
+		    $capabilities{IPSET_MATCH_COUNTERS} = qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src --packets-lt 100 -j ACCEPT" );
+		    qt1( "$iptables $iptablesw -F $sillyname" );
+		    $result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 );
+		} elsif ( qt1( "iptables $iptablesw -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) {
+		    qt1( "$iptables $iptablesw -F $sillyname" );
+		    $result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 );
+		}
+
+		qt( "$ipset -X $sillyname" );
+	    }
+	} elsif ( qt( "$ipset -N $sillyname hash:ip family inet6" ) ) {
+	    $capabilities{IPSET_V5} = 1;
+	    if ( qt1( "$iptables $iptablesw -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
+		qt1( "$iptables $iptablesw -F $sillyname" );
+		$result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 );
+	    }
 	}
+
+	qt( "$ipset -X $sillyname" );
    }

    $result;