From ce1c367d1dbaf7156366a8633e6d6d473eba0199 Mon Sep 17 00:00:00 2001
From: Tom Eastep <teastep@shorewall.net>
Date: Sun, 28 Sep 2014 14:09:20 -0700
Subject: [PATCH] Re-commit the fix that saves only the appropriate family

Signed-off-by: Tom Eastep <teastep@shorewall.net>
---
 Shorewall/Perl/Shorewall/Chains.pm | 28 ++++++++++++++++++----------
 Shorewall/Perl/Shorewall/Config.pm | 11 +++++++----
 Shorewall/Perl/prog.footer         |  1 -
 3 files changed, 25 insertions(+), 15 deletions(-)

diff --git a/Shorewall/Perl/Shorewall/Chains.pm b/Shorewall/Perl/Shorewall/Chains.pm
index 9f2c6a422..f1f9db7cf 100644
--- a/Shorewall/Perl/Shorewall/Chains.pm
+++ b/Shorewall/Perl/Shorewall/Chains.pm
@@ -8016,12 +8016,22 @@ sub create_save_ipsets() {
 	    ensure_ipset( $_ ) for @ipsets;
 	}
 
-	emit( '' ,
-	      '    rm -f ${VARDIR}/ipsets.save' ,
-	      '' );
-
 	if ( $config{SAVE_IPSETS} ) {
-	    if ( $family == F_IPV4 ) {
+	    if ( $family == F_IPV6 || $config{SAVE_IPSETS} eq 'ipv4' ) {
+		my $select = $family == F_IPV4 ? '^create.*family inet ' : 'create.*family inet6 ';
+
+		emit( '    rm -f $file' ,
+		      '    touch $file' ,
+		      '    local set' ,
+		      ''
+		    );
+
+		emit( "    \$IPSET -S $_ >> >> \$file" ) for @ipsets;
+
+		emit( "    for set in \$(\$IPSET save | grep '$select' | cut -d' ' -f2); do" ,
+		      "        \$IPSET save \$set >> \$file" ,
+		      "    done" );
+	    } else {
 		emit ( '    if [ -f /etc/debian_version ] && [ $(cat /etc/debian_version) = 5.0.3 ]; then' ,
 		       '        #',
 		       '        # The \'grep -v\' is a hack for a bug in ipset\'s nethash implementation when xtables-addons is applied to Lenny' ,
@@ -8034,11 +8044,9 @@ sub create_save_ipsets() {
 		       '    if eval $IPSET -S $hack > ${VARDIR}/ipsets.tmp; then' ,
 		       "        grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" ,
 		       '    fi' );
-	    } else {
-		emit ( '    if eval $IPSET -S > ${VARDIR}/ipsets.tmp; then' ,
-		       "        grep -qE -- \"^(-N|create )\" \${VARDIR}/ipsets.tmp && mv -f \${VARDIR}/ipsets.tmp \$file" ,
-		       '    fi' );
-	    }
+ 	    }
+
+	    emit("}\n" );
 	} elsif ( @ipsets || $globals{SAVED_IPSETS} ) {
 	    emit( '    rm -f ${VARDIR}/ipsets.tmp' ,
 		  '    touch ${VARDIR}/ipsets.tmp' ,
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 5f0d42873..6410bd74b 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -5572,10 +5572,13 @@ sub get_configuration( $$$$$ ) {
     unsupported_yes_no_warning 'RFC1918_STRICT';
 
     unless (default_yes_no 'SAVE_IPSETS', '', '*' ) {
-	my @sets = (split_list( $val= $config{SAVE_IPSETS}, 'ipset' ));
-	$globals{SAVED_IPSETS} = \@sets;
-        require_capability 'IPSET_V5', 'A saved ipset list', 's';
-	$config{SAVE_IPSETS} = '';
+	$val = $config{SAVE_IPSETS};
+	unless ( $val = 'ipv4' ) {
+	    my @sets = (split_list( $val= $config{SAVE_IPSETS}, 'ipset' ));
+	    $globals{SAVED_IPSETS} = \@sets;
+	    require_capability 'IPSET_V5', 'A saved ipset list', 's';
+	    $config{SAVE_IPSETS} = '';
+	}
     }
 
     default_yes_no 'SAVE_ARPTABLES'             , '';
diff --git a/Shorewall/Perl/prog.footer b/Shorewall/Perl/prog.footer
index 8add49a06..0c44dd420 100644
--- a/Shorewall/Perl/prog.footer
+++ b/Shorewall/Perl/prog.footer
@@ -386,7 +386,6 @@ case "$COMMAND" in
 	;;
     savesets)
 	if [ $# -eq 2 ]; then
-	    rm -f $2
 	    save_ipsets $2
 	else
 	    usage 2