extern/shorewall_code
1
0
Fork 1
mirror of https://gitlab.com/shorewall/code.git synced 2025-06-13 21:27:00 +02:00
Code Issues Packages Projects Releases Wiki Activity

Save ipsets during normal stop (duh)

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2014-09-28 18:43:11 -07:00
parent 2a463e06aa
commit e6b0666ac9
2 changed files with 30 additions and 50 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

41
Shorewall/Perl/Shorewall/Chains.pm
View File

@ -8006,13 +8006,13 @@ sub create_save_ipsets() {
'save_ipsets() {' ); 'save_ipsets() {' );
if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) { if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
emit( ' local file' , emit( ' local file' ,
'', '',
' file=$1', ' file=$1'
'' );
);
if ( @ipsets ) { if ( @ipsets ) {
emit '';
ensure_ipset( $_ ) for @ipsets; ensure_ipset( $_ ) for @ipsets;
} }
@ -8020,19 +8020,24 @@ sub create_save_ipsets() {
if ( $family == F_IPV6 || $config{SAVE_IPSETS} eq 'ipv4' ) { if ( $family == F_IPV6 || $config{SAVE_IPSETS} eq 'ipv4' ) {
my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 '; my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 ';
emit( ' rm -f $file' , emit( '' ,
' rm -f $file' ,
' touch $file' , ' touch $file' ,
' local set' , ' local set' ,
''
); );
emit( " \$IPSET -S $_ >> >> \$file" ) for @ipsets; if ( @ipsets ) {
emit '';
emit( " \$IPSET -S $_ >> >> \$file" ) for @ipsets;
}
emit( " for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" , emit( '',
" for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
" \$IPSET save \$set >> \$file" , " \$IPSET save \$set >> \$file" ,
" done" ); " done" );
} else { } else {
emit ( ' if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' , emit ( '' ,
' if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
' #', ' #',
' # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' , ' # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
' #', ' #',
@ -8048,20 +8053,26 @@ sub create_save_ipsets() {
emit("}\n" ); emit("}\n" );
} elsif ( @ipsets || $globals{SAVED_IPSETS} ) { } elsif ( @ipsets || $globals{SAVED_IPSETS} ) {
emit( ' rm -f ${VARDIR}/ipsets.tmp' , emit( '' ,
' rm -f ${VARDIR}/ipsets.tmp' ,
' touch ${VARDIR}/ipsets.tmp' , ' touch ${VARDIR}/ipsets.tmp' ,
'' ); );
emit( " \$IPSET -S $_ >> >> \${VARDIR}/ipsets.tmp" ) for @ipsets; if ( @ipsets ) {
emit '';
emit( " \$IPSET -S $_ >> >> \${VARDIR}/ipsets.tmp" ) for @ipsets;
}
emit( " if qt \$IPSET list $_; then" , emit( '' ,
" if qt \$IPSET list $_; then" ,
" \$IPSET save $_ >> \${VARDIR}/ipsets.tmp" , " \$IPSET save $_ >> \${VARDIR}/ipsets.tmp" ,
' else' , ' else' ,
" error_message 'ipset $_ not saved (not found)'" , " error_message 'ipset $_ not saved (not found)'" ,
" fi\n" ) for @{$globals{SAVED_IPSETS}}; " fi\n" ) for @{$globals{SAVED_IPSETS}};
emit( " grep -qE -- \"(-N|^create )\" \${VARDIR}/ipsets.tmp && cat \${VARDIR}/ipsets.tmp >> \$file\n" );
emit( '' , emit( '' ,
" grep -qE -- \"(-N|^create )\" \${VARDIR}/ipsets.tmp && cat \${VARDIR}/ipsets.tmp >> \$file\n" ,
'' ,
"}\n" ); "}\n" );
} }
} else { } else {

39
Shorewall/Perl/Shorewall/Misc.pm
View File

@ -2606,42 +2606,11 @@ EOF
my @ipsets = all_ipsets; my @ipsets = all_ipsets;
if ( @ipsets || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) { if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
emit <<'EOF'; emit( '',
' save_ipsets' );
case $IPSET in
*/*)
if [ ! -x "$IPSET" ]; then
error_message "ERROR: IPSET=$IPSET does not exist or is not executable - ipsets are not saved"
IPSET=
fi
;;
*)
IPSET="$(mywhich $IPSET)"
[ -n "$IPSET" ] || error_message "ERROR: The ipset utility cannot be located - ipsets are not saved"
;;
esac
if [ -n "$IPSET" ]; then
if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then
#
# The 'grep -v' is a hack for a bug in ipset's nethash implementation when xtables-addons is applied to Lenny
#
hack='| grep -v /31'
else
hack=
fi
if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then
#
# Don't save an 'empty' file
#
grep -qE '^(-N|create )' ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save
fi
fi
EOF
} }
emit ' emit '
set_state "Stopped" set_state "Stopped"