From 219954769c40a42b9db28aece5cc3aa7492a0065 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 12 Sep 2010 07:40:01 -0700 Subject: [PATCH] Update ipsets document --- docs/ipsets.xml | 81 ++++++++++++++++++++++++------------------------- 1 file changed, 39 insertions(+), 42 deletions(-) diff --git a/docs/ipsets.xml b/docs/ipsets.xml index 85ff1491a..e6cd49317 100644 --- a/docs/ipsets.xml +++ b/docs/ipsets.xml @@ -22,6 +22,8 @@ 2008 + 2010 + Thomas M. Eastep @@ -62,6 +64,11 @@ contents of an ipset. Again, you can then add or delete addresses to the ipset without restarting Shorewall. + + + In most configuration files when an address list is accepted, + the list may include ipsets using the syntax described below. + See the ipsets site (URL above) for additional information about @@ -94,6 +101,24 @@ To generate a negative match, prefix the "+" with "!" as in "!+Mirrors". + When an ipset name appears in the SOURCE column of a file, Shorewall + generates a 'src' match ("-m set --match-set + set-name src") + and when the name appears in the DEST column, a 'dst' match is generated + (-m set --match-set set-name dst"). Some set types allow matching on more than + one address and require a comma-separated list of 'src' and/or 'dst' + flags. This list may be enclosed in square brackets ("[...]") following + the set name. + + Example: +setlist[src,dst] + + If the flags are homogenous, you may use an integer to represent the + number of entries. In other words, [2] is + equivalent to [src,src] in the SOURCE + column and is equivalent to [dst,dst] in + the DEST column. + Example 1: Blacklist all hosts in an ipset named "blacklist" /etc/shorewall/blacklist#ADDRESS/SUBNET PROTOCOL PORT @@ -103,50 +128,22 @@ /etc/shorewall/rules#ACTION SOURCE DEST PROTO DEST PORT(S) ACCEPT net:+sshok $FW tcp 22 + - Shorewall is not in the ipset load/reload business because the - Netfilter rule set is never cleared. That means that there is no - opportunity for Shorewall to load/reload your ipsets since that cannot be - done while there are any current rules using ipsets. +
+ Saving/Restoring Ipsets - So: + The SAVE_IPSETS option in shorewall.conf (5) allows you + to have Shorewall automatically save your ipset contents during + shorewall stop and restore them during + shorewall start. SAVE_IPSETS is implicitly set to + when the configuration includes one or more dynamic zones. - - - Your ipsets must be loaded before Shorewall starts. You are free - to try to do that with the following code in - /etc/shorewall/init (it works for me; your mileage may - vary): - - if [ "$COMMAND" = start ]; then - ipset -F - ipset -X - ipset -R < /etc/shorewall/ipsets -fi - - The file /etc/shorewall/ipsets will - normally be produced using the ipset -S - command. - - The above will work most of the time but will fail in a - shorewall stop - shorewall start - sequence if you use ipsets in your routestopped file (see - below). - - - - Your ipsets may not be reloaded until Shorewall is stopped or - cleared. - - - - If you specify ipsets in your routestopped file then Shorewall - must be cleared in order to reload your ipsets. - - - - As a consequence, scripts generated by the Perl-based compiler will - ignore /etc/shorewall/ipsets and will issue a warning - if you set SAVE_IPSETS=Yes in shorewall.conf + When SAVE_IPSETS=Yes, Shorewall disallows ipsets to be specified in + shorewall-routestopped + (8).