diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm index ca0111351..b2e2fb090 100644 --- a/Shorewall/Perl/Shorewall/Chains.pm +++ b/Shorewall/Perl/Shorewall/Chains.pm @@ -162,6 +162,7 @@ our %EXPORT_TAGS = ( have_global_variables set_global_variables save_dynamic_chains + load_ipsets create_netfilter_load preview_netfilter_load create_chainlist_reload @@ -3643,6 +3644,78 @@ EOF '' ); } +sub load_ipsets() { + + my @ipsets = all_ipsets; + + if ( @ipsets || $config{SAVE_IPSETS} ) { + emit ( '', + 'local hack', + '', + 'case $IPSET in', + ' */*)', + ' [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"', + ' ;;', + ' *)', + ' IPSET="$(mywhich $IPSET)"', + ' [ -n "$IPSET" ] || startup_error "The ipset utility cannot be located"' , + ' ;;', + 'esac', + '', + 'if [ "$COMMAND" = start ]; then' , + ' if [ -f ${VARDIR}/ipsets.save ]; then' , + ' $IPSET -F' , + ' $IPSET -X' , + ' $IPSET -R < ${VARDIR}/ipsets.save' , + ' fi' , + 'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' , + ' if [ -f $(my_pathname)-ipsets ]; then' , + ' if chain_exists shorewall; then' , + ' startup_error "Cannot restore $(my_pathname)-ipsets with Shorewall running"' , + ' else' , + ' $IPSET -F' , + ' $IPSET -X' , + ' $IPSET -R < $(my_pathname)-ipsets' , + ' fi' , + ' fi' , + ); + + if ( @ipsets ) { + emit ''; + + emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets; + + emit ( '' , + 'elif [ "$COMMAND" = restart ]; then' , + '' ); + + emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets; + + emit ( '' , + ' if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' , + ' #', + ' # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' , + ' #', + ' hack=\'| grep -v /31\'' , + ' else' , + ' hack=' , + ' fi' , + '', + ' if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' , + ' grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' , + ' fi' ); + } + + if ( @ipsets ) { + emit ( 'elif [ "$COMMAND" = refresh ]; then' ); + emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets; + } + + emit ( 'fi' , + '' ); + } +} + # # # Generate the netfilter input diff --git a/Shorewall/Perl/Shorewall/Compiler.pm b/Shorewall/Perl/Shorewall/Compiler.pm index 0d7e9888b..30f8b52a0 100644 --- a/Shorewall/Perl/Shorewall/Compiler.pm +++ b/Shorewall/Perl/Shorewall/Compiler.pm @@ -353,76 +353,11 @@ sub generate_script_3($) { } if ( $family == F_IPV4 ) { - my @ipsets = all_ipsets; - - if ( @ipsets || $config{SAVE_IPSETS} ) { - emit ( '', - 'local hack', - '', - 'case $IPSET in', - ' */*)', - ' [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"', - ' ;;', - ' *)', - ' IPSET="$(mywhich $IPSET)"', - ' [ -n "$IPSET" ] || startup_error "The ipset utility cannot be located"' , - ' ;;', - 'esac', - '', - 'if [ "$COMMAND" = start ]; then' , - ' if [ -f ${VARDIR}/ipsets.save ]; then' , - ' $IPSET -F' , - ' $IPSET -X' , - ' $IPSET -R < ${VARDIR}/ipsets.save' , - ' fi' , - 'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' , - ' if [ -f $(my_pathname)-ipsets ]; then' , - ' if chain_exists shorewall; then' , - ' startup_error "Cannot restore $(my_pathname)-ipsets with Shorewall running"' , - ' else' , - ' $IPSET -F' , - ' $IPSET -X' , - ' $IPSET -R < $(my_pathname)-ipsets' , - ' fi' , - ' fi' , - ); - - if ( @ipsets ) { - emit ''; - - emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets; - - emit ( '' , - 'elif [ "$COMMAND" = restart ]; then' , - '' ); - - emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets; - - emit ( '' , - ' if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' , - ' #', - ' # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' , - ' #', - ' hack=\'| grep -v /31\'' , - ' else' , - ' hack=' , - ' fi' , - '', - ' if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' , - ' grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' , - ' fi' ); - } - - emit ( 'fi', - '' ); - } + load_ipsets; emit ( 'if [ "$COMMAND" = refresh ]; then' , - ' run_refresh_exit' ); - - emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets; - - emit ( 'else' , + ' run_refresh_exit' , + 'else' , ' run_init_exit', 'fi', '' );