Re-enable SAVE_IPSETS=Yes

Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2010-01-04 11:14:05 -08:00
parent b491eae3c0
commit 1aa55779e2
3 changed files with 27 additions and 13 deletions

View File

@ -355,8 +355,10 @@ sub generate_script_3($) {
if ( $family == F_IPV4 ) { if ( $family == F_IPV4 ) {
my @ipsets = all_ipsets; my @ipsets = all_ipsets;
if ( @ipsets ) { if ( @ipsets || $config{SAVE_IPSETS} ) {
emit ( '', emit ( '',
'local hack',
'',
'case $IPSET in', 'case $IPSET in',
' */*)', ' */*)',
' [ -x "$IPSET" ] || fatal_error "IPSET=$IPSET does not exist or is not executable"', ' [ -x "$IPSET" ] || fatal_error "IPSET=$IPSET does not exist or is not executable"',
@ -375,18 +377,30 @@ sub generate_script_3($) {
' fi' , ' fi' ,
'' ); '' );
emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets; if ( @ipsets ) {
emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
emit ( '' , emit ( '' ,
'elif [ "$COMMAND" = restart ]; then' , 'elif [ "$COMMAND" = restart ]; then' ,
'' ); '' );
emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets; emit ( " qt \$IPSET -L $_ -n || \$IPSET -N $_ iphash" ) for @ipsets;
emit ( '' ,
' if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
' #',
' # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
' #',
' hack=\'| grep -v /31\'' ,
' else' ,
' hack=' ,
' fi' ,
'',
' if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
' grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
' fi' );
}
emit ( '' ,
' if $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
' grep -q "^-N" ${VARDIR}/ipsets.tmp && mv -f ${VARDIR}/ipsets.tmp ${VARDIR}/ipsets.save' ,
' fi' );
emit ( 'fi', emit ( 'fi',
'' ); '' );
} }

View File

@ -2422,9 +2422,9 @@ sub get_configuration( $ ) {
unsupported_yes_no_warning 'DYNAMIC_ZONES'; unsupported_yes_no_warning 'DYNAMIC_ZONES';
unsupported_yes_no 'BRIDGING'; unsupported_yes_no 'BRIDGING';
unsupported_yes_no_warning 'SAVE_IPSETS';
unsupported_yes_no_warning 'RFC1918_STRICT'; unsupported_yes_no_warning 'RFC1918_STRICT';
default_yes_no 'SAVE_IPSETS' , '';
default_yes_no 'STARTUP_ENABLED' , 'Yes'; default_yes_no 'STARTUP_ENABLED' , 'Yes';
default_yes_no 'DELAYBLACKLISTLOAD' , ''; default_yes_no 'DELAYBLACKLISTLOAD' , '';
default_yes_no 'MAPOLDACTIONS' , 'Yes'; default_yes_no 'MAPOLDACTIONS' , 'Yes';

View File

@ -315,7 +315,6 @@ sub process_routestopped() {
my ($interface, $hosts, $options , $proto, $ports, $sports ) = split_line 1, 6, 'routestopped file'; my ($interface, $hosts, $options , $proto, $ports, $sports ) = split_line 1, 6, 'routestopped file';
fatal_error "Unknown interface ($interface)" unless known_interface $interface; fatal_error "Unknown interface ($interface)" unless known_interface $interface;
$hosts = ALLIP unless $hosts && $hosts ne '-'; $hosts = ALLIP unless $hosts && $hosts ne '-';
my @hosts; my @hosts;
@ -325,6 +324,7 @@ sub process_routestopped() {
my $rule = do_proto( $proto, $ports, $sports, 0 ); my $rule = do_proto( $proto, $ports, $sports, 0 );
for my $host ( split /,/, $hosts ) { for my $host ( split /,/, $hosts ) {
fatal_error "Ipsets not allowed with SAVE_IPSETS=Yes" if $host =~ /^!?\+/ && $config{SAVE_IPSETS};
validate_host $host, 1; validate_host $host, 1;
push @hosts, "$interface|$host|$seq"; push @hosts, "$interface|$host|$seq";
push @rule, $rule; push @rule, $rule;
@ -2342,7 +2342,7 @@ EOF
my @ipsets = all_ipsets; my @ipsets = all_ipsets;
if ( @ipsets ) { if ( @ipsets || $config{SAVE_IPSETS} ) {
emit <<'EOF'; emit <<'EOF';
case $IPSET in case $IPSET in