Allow Shorewall-init to save/restore ipset contents

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-init/init.sh

@@ -29,7 +29,7 @@
 # Required-start: $local_fs
 # Required-stop:  $local_fs
 # Default-Start:  2 3 5
-# Default-Stop:
+# Default-Stop:   6
 # Short-Description: Initialize the firewall at boot time
 # Description:       Place the firewall in a safe state at boot time
 #                    prior to bringing up the network.  
@@ -69,6 +69,10 @@ shorewall_start () {
       fi
   done
 
+  if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
+      ipset -R < "$SAVE_IPSETS"
+  fi
+
   return 0
 }
 
@@ -86,6 +90,13 @@ shorewall_stop () {
       fi
   done
 
+  if [ -n "$SAVE_IPSETS" ]; then
+      mkdir -p $(dirname "$SAVE_IPSETS")
+      if ipset -S > "${SAVE_IPSETS}.tmp"; then
+	  grep -q '^-N' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
+      fi
+  fi
+
   return 0
 }
 

Shorewall-init/sysconfig

@@ -10,3 +10,9 @@ PRODUCTS=""
 # ifup/ifdown and NetworkManager events
 #
 IFUPDOWN=0
+#
+# Set this to the name of the file that is to hold
+# ipset contents. Shorewall-init will load those ipsets
+# during 'start' and will save them there during 'stop'.
+#
+SAVE_IPSETS=""

Shorewall/changelog.txt

@@ -1,3 +1,7 @@
+Changes in Shorewall 4.4.21 Beta 3
+
+1)  Shorewall-init can now save/restore ipsets.
+
 Changes in Shorewall 4.4.21 Beta 2
 
 1)  Implement the 'update' command.

Shorewall/releasenotes.txt

@@ -1,5 +1,5 @@
 ----------------------------------------------------------------------------
-                S H O R E W A L L  4 . 4 . 2 1  B e t a  2
+                S H O R E W A L L  4 . 4 . 2 1  B e t a  3
 ----------------------------------------------------------------------------
 
 I.    PROBLEMS CORRECTED IN THIS RELEASE
@@ -94,6 +94,25 @@ None.
     The 'update' command accepts the same options as 'check' plus an
     '-a' option that causes the updated file to be annotated with
     documentation.
+
+5)  Shorewall6 now supports ipsets. 
+
+    Unlike iptables, which has separate configurations for IPv4 and
+    IPv6, ipset has a single configuration that handles both. This
+    means the SAVE_IPSETS=Yes in shorewall.conf or shorewall6.conf
+    won't work correctly. To work around this issue, Shorewall-init is
+    now capable restoring ipset contents during 'start' and saving them
+    during 'stop'. 
+
+    To direct Shorewall-init to save/restore ipset contents, set the
+    SAVE_IPSETS option in /etc/sysconfig/shorewall-init
+    (/etc/default/shorewall-init on Debian and derivatives). The value
+    of the option is a file name where the contents of the ipsets will
+    be save to and restored from. Shorewall-init will create any
+    necessary directories during the first 'save' operation.
+
+    If you configure Shorewall-init to save/restore ipsets, be sure to
+    set SAVE_IPSETS=No in shorewall.conf and shorewall6.conf.
  
 ----------------------------------------------------------------------------
              I V.  R E L E A S E  4 . 4  H I G H L I G H T S