From e6b0666ac96b97f9bcdd198add6acd51543387bd Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 28 Sep 2014 18:43:11 -0700 Subject: [PATCH] Save ipsets during normal stop (duh) Signed-off-by: Tom Eastep --- Shorewall/Perl/Shorewall/Chains.pm | 41 +++++++++++++++++++----------- Shorewall/Perl/Shorewall/Misc.pm | 39 +++------------------------- 2 files changed, 30 insertions(+), 50 deletions(-) diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index f1f9db7cf..bb4b70ca3 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -8006,13 +8006,13 @@ sub create_save_ipsets() { 'save_ipsets() {' ); if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) { - emit( ' local file' , - '', - ' file=$1', - '' - ); + emit( ' local file' , + '', + ' file=$1' + ); if ( @ipsets ) { + emit ''; ensure_ipset( $_ ) for @ipsets; } @@ -8020,19 +8020,24 @@ sub create_save_ipsets() { if ( $family == F_IPV6 || $config{SAVE_IPSETS} eq 'ipv4' ) { my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 '; - emit( ' rm -f $file' , + emit( '' , + ' rm -f $file' , ' touch $file' , ' local set' , - '' ); - emit( " \$IPSET -S $_ >> >> \$file" ) for @ipsets; + if ( @ipsets ) { + emit ''; + emit( " \$IPSET -S $_ >> >> \$file" ) for @ipsets; + } - emit( " for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" , + emit( '', + " for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" , " \$IPSET save \$set >> \$file" , " done" ); } else { - emit ( ' if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' , + emit ( '' , + ' if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' , ' #', ' # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' , ' #', @@ -8048,20 +8053,26 @@ sub create_save_ipsets() { emit("}\n" ); } elsif ( @ipsets || $globals{SAVED_IPSETS} ) { - emit( ' rm -f ${VARDIR}/ipsets.tmp' , + emit( '' , + ' rm -f ${VARDIR}/ipsets.tmp' , ' touch ${VARDIR}/ipsets.tmp' , - '' ); + ); - emit( " \$IPSET -S $_ >> >> \${VARDIR}/ipsets.tmp" ) for @ipsets; + if ( @ipsets ) { + emit ''; + emit( " \$IPSET -S $_ >> >> \${VARDIR}/ipsets.tmp" ) for @ipsets; + } - emit( " if qt \$IPSET list $_; then" , + emit( '' , + " if qt \$IPSET list $_; then" , " \$IPSET save $_ >> \${VARDIR}/ipsets.tmp" , ' else' , " error_message 'ipset $_ not saved (not found)'" , " fi\n" ) for @{$globals{SAVED_IPSETS}}; - emit( " grep -qE -- \"(-N|^create )\" \${VARDIR}/ipsets.tmp && cat \${VARDIR}/ipsets.tmp >> \$file\n" ); emit( '' , + " grep -qE -- \"(-N|^create )\" \${VARDIR}/ipsets.tmp && cat \${VARDIR}/ipsets.tmp >> \$file\n" , + '' , "}\n" ); } } else { diff --git a/Shorewall/Perl/Shorewall/Misc.pm b/Shorewall/Perl/Shorewall/Misc.pm index 981e58a2b..4c2bb79a3 100644 --- a/Shorewall/Perl/Shorewall/Misc.pm +++ b/Shorewall/Perl/Shorewall/Misc.pm @@ -2606,42 +2606,11 @@ EOF my @ipsets = all_ipsets; - if ( @ipsets || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) { - emit <<'EOF'; - - case $IPSET in - */*) - if [ ! -x "$IPSET" ]; then - error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved" - IPSET= - fi - ;; - *) - IPSET="$(mywhich $IPSET)" - [ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved" - ;; - esac - - if [ -n "$IPSET" ]; then - if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then - # - # The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny - # - hack='| grep -v /31' - else - hack= - fi - - if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then - # - # Don't save an 'empty' file - # - grep -qE '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save - fi - fi -EOF + if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) { + emit( '', + ' save_ipsets' ); } - + emit ' set_state "Stopped"