From ee384d03cef3b2b37c93ba331d9ba3cc1fc81319 Mon Sep 17 00:00:00 2001 From: Tom Eastep Date: Sun, 19 Jun 2011 10:10:59 -0700 Subject: [PATCH] Allow Shorewall-init to save/restore ipset contents Signed-off-by: Tom Eastep --- Shorewall-init/init.sh | 13 ++++++++++++- Shorewall-init/sysconfig | 6 ++++++ Shorewall/changelog.txt | 4 ++++ Shorewall/releasenotes.txt | 21 ++++++++++++++++++++- 4 files changed, 42 insertions(+), 2 deletions(-) diff --git a/Shorewall-init/init.sh b/Shorewall-init/init.sh index 8d6428f57..105cad096 100755 --- a/Shorewall-init/init.sh +++ b/Shorewall-init/init.sh @@ -29,7 +29,7 @@ # Required-start: $local_fs # Required-stop: $local_fs # Default-Start: 2 3 5 -# Default-Stop: +# Default-Stop: 6 # Short-Description: Initialize the firewall at boot time # Description: Place the firewall in a safe state at boot time # prior to bringing up the network. @@ -69,6 +69,10 @@ shorewall_start () { fi done + if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then + ipset -R < "$SAVE_IPSETS" + fi + return 0 } @@ -86,6 +90,13 @@ shorewall_stop () { fi done + if [ -n "$SAVE_IPSETS" ]; then + mkdir -p $(dirname "$SAVE_IPSETS") + if ipset -S > "${SAVE_IPSETS}.tmp"; then + grep -q '^-N' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS" + fi + fi + return 0 } diff --git a/Shorewall-init/sysconfig b/Shorewall-init/sysconfig index 40f3f5daf..ed9627e86 100644 --- a/Shorewall-init/sysconfig +++ b/Shorewall-init/sysconfig @@ -10,3 +10,9 @@ PRODUCTS="" # ifup/ifdown and NetworkManager events # IFUPDOWN=0 +# +# Set this to the name of the file that is to hold +# ipset contents. Shorewall-init will load those ipsets +# during 'start' and will save them there during 'stop'. +# +SAVE_IPSETS="" diff --git a/Shorewall/changelog.txt b/Shorewall/changelog.txt index 01380e724..2bb55d243 100644 --- a/Shorewall/changelog.txt +++ b/Shorewall/changelog.txt @@ -1,3 +1,7 @@ +Changes in Shorewall 4.4.21 Beta 3 + +1) Shorewall-init can now save/restore ipsets. + Changes in Shorewall 4.4.21 Beta 2 1) Implement the 'update' command. diff --git a/Shorewall/releasenotes.txt b/Shorewall/releasenotes.txt index d385239b6..fa7034d3e 100644 --- a/Shorewall/releasenotes.txt +++ b/Shorewall/releasenotes.txt @@ -1,5 +1,5 @@ ---------------------------------------------------------------------------- - S H O R E W A L L 4 . 4 . 2 1 B e t a 2 + S H O R E W A L L 4 . 4 . 2 1 B e t a 3 ---------------------------------------------------------------------------- I. PROBLEMS CORRECTED IN THIS RELEASE @@ -94,6 +94,25 @@ None. The 'update' command accepts the same options as 'check' plus an '-a' option that causes the updated file to be annotated with documentation. + +5) Shorewall6 now supports ipsets. + + Unlike iptables, which has separate configurations for IPv4 and + IPv6, ipset has a single configuration that handles both. This + means the SAVE_IPSETS=Yes in shorewall.conf or shorewall6.conf + won't work correctly. To work around this issue, Shorewall-init is + now capable restoring ipset contents during 'start' and saving them + during 'stop'. + + To direct Shorewall-init to save/restore ipset contents, set the + SAVE_IPSETS option in /etc/sysconfig/shorewall-init + (/etc/default/shorewall-init on Debian and derivatives). The value + of the option is a file name where the contents of the ipsets will + be save to and restored from. Shorewall-init will create any + necessary directories during the first 'save' operation. + + If you configure Shorewall-init to save/restore ipsets, be sure to + set SAVE_IPSETS=No in shorewall.conf and shorewall6.conf. ---------------------------------------------------------------------------- I V. R E L E A S E 4 . 4 H I G H L I G H T S