forked from extern/shorewall_code
Re-enable SAVE_IPSETS=Yes
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
parent
b491eae3c0
commit
1aa55779e2
@ -355,8 +355,10 @@ sub generate_script_3($) {
|
|||||||
if ( $family == F_IPV4 ) {
|
if ( $family == F_IPV4 ) {
|
||||||
my @ipsets = all_ipsets;
|
my @ipsets = all_ipsets;
|
||||||
|
|
||||||
if ( @ipsets ) {
|
if ( @ipsets || $config{SAVE_IPSETS} ) {
|
||||||
emit ( '',
|
emit ( '',
|
||||||
|
'local hack',
|
||||||
|
'',
|
||||||
'case $IPSET in',
|
'case $IPSET in',
|
||||||
' */*)',
|
' */*)',
|
||||||
' [ -x "$IPSET" ] || fatal_error "IPSET=$IPSET does not exist or is not executable"',
|
' [ -x "$IPSET" ] || fatal_error "IPSET=$IPSET does not exist or is not executable"',
|
||||||
@ -375,18 +377,30 @@ sub generate_script_3($) {
|
|||||||
' fi' ,
|
' fi' ,
|
||||||
'' );
|
'' );
|
||||||
|
|
||||||
emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
|
if ( @ipsets ) {
|
||||||
|
emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
|
||||||
|
|
||||||
emit ( '' ,
|
emit ( '' ,
|
||||||
'elif [ "$COMMAND" = restart ]; then' ,
|
'elif [ "$COMMAND" = restart ]; then' ,
|
||||||
'' );
|
'' );
|
||||||
|
|
||||||
emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
|
emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
|
||||||
|
|
||||||
|
emit ( '' ,
|
||||||
|
' if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
|
||||||
|
' #',
|
||||||
|
' # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
|
||||||
|
' #',
|
||||||
|
' hack=\'| grep -v /31\'' ,
|
||||||
|
' else' ,
|
||||||
|
' hack=' ,
|
||||||
|
' fi' ,
|
||||||
|
'',
|
||||||
|
' if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
|
||||||
|
' grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
|
||||||
|
' fi' );
|
||||||
|
}
|
||||||
|
|
||||||
emit ( '' ,
|
|
||||||
' if $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
|
|
||||||
' grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
|
|
||||||
' fi' );
|
|
||||||
emit ( 'fi',
|
emit ( 'fi',
|
||||||
'' );
|
'' );
|
||||||
}
|
}
|
||||||
|
@ -2422,9 +2422,9 @@ sub get_configuration( $ ) {
|
|||||||
|
|
||||||
unsupported_yes_no_warning 'DYNAMIC_ZONES';
|
unsupported_yes_no_warning 'DYNAMIC_ZONES';
|
||||||
unsupported_yes_no 'BRIDGING';
|
unsupported_yes_no 'BRIDGING';
|
||||||
unsupported_yes_no_warning 'SAVE_IPSETS';
|
|
||||||
unsupported_yes_no_warning 'RFC1918_STRICT';
|
unsupported_yes_no_warning 'RFC1918_STRICT';
|
||||||
|
|
||||||
|
default_yes_no 'SAVE_IPSETS' , '';
|
||||||
default_yes_no 'STARTUP_ENABLED' , 'Yes';
|
default_yes_no 'STARTUP_ENABLED' , 'Yes';
|
||||||
default_yes_no 'DELAYBLACKLISTLOAD' , '';
|
default_yes_no 'DELAYBLACKLISTLOAD' , '';
|
||||||
default_yes_no 'MAPOLDACTIONS' , 'Yes';
|
default_yes_no 'MAPOLDACTIONS' , 'Yes';
|
||||||
|
@ -315,7 +315,6 @@ sub process_routestopped() {
|
|||||||
my ($interface, $hosts, $options , $proto, $ports, $sports ) = split_line 1, 6, 'routestopped file';
|
my ($interface, $hosts, $options , $proto, $ports, $sports ) = split_line 1, 6, 'routestopped file';
|
||||||
|
|
||||||
fatal_error "Unknown interface ($interface)" unless known_interface $interface;
|
fatal_error "Unknown interface ($interface)" unless known_interface $interface;
|
||||||
|
|
||||||
$hosts = ALLIP unless $hosts && $hosts ne '-';
|
$hosts = ALLIP unless $hosts && $hosts ne '-';
|
||||||
|
|
||||||
my @hosts;
|
my @hosts;
|
||||||
@ -325,6 +324,7 @@ sub process_routestopped() {
|
|||||||
my $rule = do_proto( $proto, $ports, $sports, 0 );
|
my $rule = do_proto( $proto, $ports, $sports, 0 );
|
||||||
|
|
||||||
for my $host ( split /,/, $hosts ) {
|
for my $host ( split /,/, $hosts ) {
|
||||||
|
fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS};
|
||||||
validate_host $host, 1;
|
validate_host $host, 1;
|
||||||
push @hosts, "$interface|$host|$seq";
|
push @hosts, "$interface|$host|$seq";
|
||||||
push @rule, $rule;
|
push @rule, $rule;
|
||||||
@ -2342,7 +2342,7 @@ EOF
|
|||||||
|
|
||||||
my @ipsets = all_ipsets;
|
my @ipsets = all_ipsets;
|
||||||
|
|
||||||
if ( @ipsets ) {
|
if ( @ipsets || $config{SAVE_IPSETS} ) {
|
||||||
emit <<'EOF';
|
emit <<'EOF';
|
||||||
|
|
||||||
case $IPSET in
|
case $IPSET in
|
||||||
|
Loading…
Reference in New Issue
Block a user