forked from extern/shorewall_code
Move ipset-load code to Chains.pm. Better there than in Compiler.pm
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep
parent
3adb8c29c5
commit
0b9213bc6d
@ -162,6 +162,7 @@ our %EXPORT_TAGS = (
|
|||||||
have_global_variables
|
have_global_variables
|
||||||
set_global_variables
|
set_global_variables
|
||||||
save_dynamic_chains
|
save_dynamic_chains
|
||||||
|
load_ipsets
|
||||||
create_netfilter_load
|
create_netfilter_load
|
||||||
preview_netfilter_load
|
preview_netfilter_load
|
||||||
create_chainlist_reload
|
create_chainlist_reload
|
||||||
@ -3643,6 +3644,78 @@ EOF
|
|||||||
'' );
|
'' );
|
||||||
}
|
}
|
||||||
|
|
||||||
|
sub load_ipsets() {
|
||||||
|
|
||||||
|
my @ipsets = all_ipsets;
|
||||||
|
|
||||||
|
if ( @ipsets || $config{SAVE_IPSETS} ) {
|
||||||
|
emit ( '',
|
||||||
|
'local hack',
|
||||||
|
'',
|
||||||
|
'case $IPSET in',
|
||||||
|
' */*)',
|
||||||
|
' [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"',
|
||||||
|
' ;;',
|
||||||
|
' *)',
|
||||||
|
' IPSET="$(mywhich $IPSET)"',
|
||||||
|
' [ -n "$IPSET" ] || startup_error "The ipset utility cannot be located"' ,
|
||||||
|
' ;;',
|
||||||
|
'esac',
|
||||||
|
'',
|
||||||
|
'if [ "$COMMAND" = start ]; then' ,
|
||||||
|
' if [ -f ${VARDIR}/ipsets.save ]; then' ,
|
||||||
|
' $IPSET -F' ,
|
||||||
|
' $IPSET -X' ,
|
||||||
|
' $IPSET -R < ${VARDIR}/ipsets.save' ,
|
||||||
|
' fi' ,
|
||||||
|
'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' ,
|
||||||
|
' if [ -f $(my_pathname)-ipsets ]; then' ,
|
||||||
|
' if chain_exists shorewall; then' ,
|
||||||
|
' startup_error "Cannot restore $(my_pathname)-ipsets with Shorewall running"' ,
|
||||||
|
' else' ,
|
||||||
|
' $IPSET -F' ,
|
||||||
|
' $IPSET -X' ,
|
||||||
|
' $IPSET -R < $(my_pathname)-ipsets' ,
|
||||||
|
' fi' ,
|
||||||
|
' fi' ,
|
||||||
|
);
|
||||||
|
|
||||||
|
if ( @ipsets ) {
|
||||||
|
emit '';
|
||||||
|
|
||||||
|
emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
|
||||||
|
|
||||||
|
emit ( '' ,
|
||||||
|
'elif [ "$COMMAND" = restart ]; then' ,
|
||||||
|
'' );
|
||||||
|
|
||||||
|
emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
|
||||||
|
|
||||||
|
emit ( '' ,
|
||||||
|
' if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
|
||||||
|
' #',
|
||||||
|
' # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
|
||||||
|
' #',
|
||||||
|
' hack=\'| grep -v /31\'' ,
|
||||||
|
' else' ,
|
||||||
|
' hack=' ,
|
||||||
|
' fi' ,
|
||||||
|
'',
|
||||||
|
' if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
|
||||||
|
' grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
|
||||||
|
' fi' );
|
||||||
|
}
|
||||||
|
|
||||||
|
if ( @ipsets ) {
|
||||||
|
emit ( 'elif [ "$COMMAND" = refresh ]; then' );
|
||||||
|
emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
|
||||||
|
}
|
||||||
|
|
||||||
|
emit ( 'fi' ,
|
||||||
|
'' );
|
||||||
|
}
|
||||||
|
}
|
||||||
|
|
||||||
#
|
#
|
||||||
#
|
#
|
||||||
# Generate the netfilter input
|
# Generate the netfilter input
|
||||||
|
|||||||
@ -353,76 +353,11 @@ sub generate_script_3($) {
|
|||||||
}
|
}
|
||||||
|
|
||||||
if ( $family == F_IPV4 ) {
|
if ( $family == F_IPV4 ) {
|
||||||
my @ipsets = all_ipsets;
|
load_ipsets;
|
||||||
|
|
||||||
if ( @ipsets || $config{SAVE_IPSETS} ) {
|
|
||||||
emit ( '',
|
|
||||||
'local hack',
|
|
||||||
'',
|
|
||||||
'case $IPSET in',
|
|
||||||
' */*)',
|
|
||||||
' [ -x "$IPSET" ] || startup_error "IPSET=$IPSET does not exist or is not executable"',
|
|
||||||
' ;;',
|
|
||||||
' *)',
|
|
||||||
' IPSET="$(mywhich $IPSET)"',
|
|
||||||
' [ -n "$IPSET" ] || startup_error "The ipset utility cannot be located"' ,
|
|
||||||
' ;;',
|
|
||||||
'esac',
|
|
||||||
'',
|
|
||||||
'if [ "$COMMAND" = start ]; then' ,
|
|
||||||
' if [ -f ${VARDIR}/ipsets.save ]; then' ,
|
|
||||||
' $IPSET -F' ,
|
|
||||||
' $IPSET -X' ,
|
|
||||||
' $IPSET -R < ${VARDIR}/ipsets.save' ,
|
|
||||||
' fi' ,
|
|
||||||
'elif [ "$COMMAND" = restore -a -z "$g_recovering" ]; then' ,
|
|
||||||
' if [ -f $(my_pathname)-ipsets ]; then' ,
|
|
||||||
' if chain_exists shorewall; then' ,
|
|
||||||
' startup_error "Cannot restore $(my_pathname)-ipsets with Shorewall running"' ,
|
|
||||||
' else' ,
|
|
||||||
' $IPSET -F' ,
|
|
||||||
' $IPSET -X' ,
|
|
||||||
' $IPSET -R < $(my_pathname)-ipsets' ,
|
|
||||||
' fi' ,
|
|
||||||
' fi' ,
|
|
||||||
);
|
|
||||||
|
|
||||||
if ( @ipsets ) {
|
|
||||||
emit '';
|
|
||||||
|
|
||||||
emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
|
|
||||||
|
|
||||||
emit ( '' ,
|
|
||||||
'elif [ "$COMMAND" = restart ]; then' ,
|
|
||||||
'' );
|
|
||||||
|
|
||||||
emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
|
|
||||||
|
|
||||||
emit ( '' ,
|
|
||||||
' if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
|
|
||||||
' #',
|
|
||||||
' # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
|
|
||||||
' #',
|
|
||||||
' hack=\'| grep -v /31\'' ,
|
|
||||||
' else' ,
|
|
||||||
' hack=' ,
|
|
||||||
' fi' ,
|
|
||||||
'',
|
|
||||||
' if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
|
|
||||||
' grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
|
|
||||||
' fi' );
|
|
||||||
}
|
|
||||||
|
|
||||||
emit ( 'fi',
|
|
||||||
'' );
|
|
||||||
}
|
|
||||||
|
|
||||||
emit ( 'if [ "$COMMAND" = refresh ]; then' ,
|
emit ( 'if [ "$COMMAND" = refresh ]; then' ,
|
||||||
' run_refresh_exit' );
|
' run_refresh_exit' ,
|
||||||
|
'else' ,
|
||||||
emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
|
|
||||||
|
|
||||||
emit ( 'else' ,
|
|
||||||
' run_init_exit',
|
' run_init_exit',
|
||||||
'fi',
|
'fi',
|
||||||
'' );
|
'' );
|
||||||
|
|||||||
Loading…
Reference in New Issue
Block a user