diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 9f2c6a422..5f89909be 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -8006,22 +8006,31 @@ sub create_save_ipsets() {
'save_ipsets() {' );
if ( @ipsets || @{$globals{SAVED_IPSETS}} || ( $config{SAVE_IPSETS} && have_ipset_rules ) ) {
- emit( ' local file' ,
- '',
- ' file=$1',
- ''
- );
+ emit( ' local file' );
+ emit( ' local set' ) if have_capability 'IPSET_V5';
+ emit( '',
+ ' file=$1',
+ ''
+ );
if ( @ipsets ) {
ensure_ipset( $_ ) for @ipsets;
}
emit( '' ,
- ' rm -f ${VARDIR}/ipsets.save' ,
+ ' rm -f $file' ,
'' );
if ( $config{SAVE_IPSETS} ) {
- if ( $family == F_IPV4 ) {
+ if ( $family == F_IPV6 || $config{SAVE_IPSETS} eq 'ipv4' ) {
+ my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 ';
+
+ emit( 'touch $file' );
+
+ emit( "for set in $(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
+ " \$IPSET save $_ >> \$file" ,
+ "done" );
+ } else {
emit ( ' if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
' #',
' # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
@@ -8034,11 +8043,8 @@ sub create_save_ipsets() {
' if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
" grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" ,
' fi' );
- } else {
- emit ( ' if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
- " grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" ,
- ' fi' );
- }
+ }
+
} elsif ( @ipsets || $globals{SAVED_IPSETS} ) {
emit( ' rm -f ${VARDIR}/ipsets.tmp' ,
' touch ${VARDIR}/ipsets.tmp' ,
diff --git a/Shorewall/manpages/shorewall.conf.xml b/Shorewall/manpages/shorewall.conf.xml
index cbcc91b82..aee177a2b 100644
--- a/Shorewall/manpages/shorewall.conf.xml
+++ b/Shorewall/manpages/shorewall.conf.xml
@@ -2470,7 +2470,7 @@ INLINE - - - ; -j REJECT
SAVE_IPSETS={Yes|No|setlist}
+ role="bold">No|ipv4|setlist}
Re-enabled in Shorewall 4.4.6. If SAVE_IPSETS=Yes, then the
@@ -2480,9 +2480,21 @@ INLINE - - - ; -j REJECT
shorewall start and shorewall restore commands.
- Beginning with Shorewall 4.6.4, you can restrict the set of
- ipsets saved by specifying a setlist (a comma-separated list of ipv4
- ipset names).
+ Beginning with Shorewall 4.6.4:
+
+
+
+ When SAVE_IPSETS=ipv4, only ipv4 ipsets are saved if the
+ 'Ipset V5' capability is supported by your system.
+
+
+
+ you can restrict the set of ipsets saved by specifying a
+ setlist (a comma-separated list of ipv4 ipset names).
+
+
+
+
diff --git a/Shorewall6/manpages/shorewall6.conf.xml b/Shorewall6/manpages/shorewall6.conf.xml
index be535f1e4..b4464afff 100644
--- a/Shorewall6/manpages/shorewall6.conf.xml
+++ b/Shorewall6/manpages/shorewall6.conf.xml
@@ -2128,15 +2128,15 @@ INLINE - - - ; -j REJECT
role="bold">No|setlist}
- Re-enabled in Shorewall 4.4.6. If SAVE_IPSETS=Yes, then the
- current contents of your ipsets will be saved by the Added in Shoreall 4.6.4. If SAVE_IPSETS=Yes, then the current
+ contents of your ipv6 ipsets will be saved by the shorewall stop and shorewall save commands and restored by the
shorewall start and shorewall restore commands.
- Beginning with Shorewall 4.6.4, you can restrict the set of
- ipsets saved by specifying a setlist (a comma-separated list of ipv6
+ You can restrict the set of ipsets saved by specifying a
+ setlist (a comma-separated list of ipv6
ipset names).