holm/shorewall_code
1
0
Fork 0
forked from extern/shorewall_code
Code Pull Requests Activity

Allow Shorewall-init to save/restore ipset contents

Browse Source 
Signed-off-by: Tom Eastep <teastep@shorewall.net>
This commit is contained in:
Tom Eastep 2011-06-19 10:10:59 -07:00
parent 7753f798b0
commit ee384d03ce
4 changed files with 42 additions and 2 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

13
Shorewall-init/init.sh
View File

@ -29,7 +29,7 @@
# Required-start: $local_fs # Required-start: $local_fs
# Required-stop: $local_fs # Required-stop: $local_fs
# Default-Start: 2 3 5 # Default-Start: 2 3 5
# Default-Stop: # Default-Stop: 6
# Short-Description: Initialize the firewall at boot time # Short-Description: Initialize the firewall at boot time
# Description: Place the firewall in a safe state at boot time # Description: Place the firewall in a safe state at boot time
# prior to bringing up the network. # prior to bringing up the network.
@ -69,6 +69,10 @@ shorewall_start () {
fi fi
done done
if [ -n "$SAVE_IPSETS" -a -f "$SAVE_IPSETS" ]; then
ipset -R < "$SAVE_IPSETS"
fi
return 0 return 0
} }
@ -86,6 +90,13 @@ shorewall_stop () {
fi fi
done done
if [ -n "$SAVE_IPSETS" ]; then
mkdir -p $(dirname "$SAVE_IPSETS")
if ipset -S > "${SAVE_IPSETS}.tmp"; then
grep -q '^-N' "${SAVE_IPSETS}.tmp" && mv -f "${SAVE_IPSETS}.tmp" "$SAVE_IPSETS"
fi
fi
return 0 return 0
} }

6
Shorewall-init/sysconfig
View File

@ -10,3 +10,9 @@ PRODUCTS=""
# ifup/ifdown and NetworkManager events # ifup/ifdown and NetworkManager events
# #
IFUPDOWN=0 IFUPDOWN=0
#
# Set this to the name of the file that is to hold
# ipset contents. Shorewall-init will load those ipsets
# during 'start' and will save them there during 'stop'.
#
SAVE_IPSETS=""

4
Shorewall/changelog.txt
View File

@ -1,3 +1,7 @@
Changes in Shorewall 4.4.21 Beta 3
1) Shorewall-init can now save/restore ipsets.
Changes in Shorewall 4.4.21 Beta 2 Changes in Shorewall 4.4.21 Beta 2
1) Implement the 'update' command. 1) Implement the 'update' command.

21
Shorewall/releasenotes.txt
View File

@ -1,5 +1,5 @@
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
S H O R E W A L L 4 . 4 . 2 1 B e t a 2 S H O R E W A L L 4 . 4 . 2 1 B e t a 3
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I. PROBLEMS CORRECTED IN THIS RELEASE I. PROBLEMS CORRECTED IN THIS RELEASE
@ -94,6 +94,25 @@ None.
The 'update' command accepts the same options as 'check' plus an The 'update' command accepts the same options as 'check' plus an
'-a' option that causes the updated file to be annotated with '-a' option that causes the updated file to be annotated with
documentation. documentation.
5) Shorewall6 now supports ipsets.
Unlike iptables, which has separate configurations for IPv4 and
IPv6, ipset has a single configuration that handles both. This
means the SAVE_IPSETS=Yes in shorewall.conf or shorewall6.conf
won't work correctly. To work around this issue, Shorewall-init is
now capable restoring ipset contents during 'start' and saving them
during 'stop'.
To direct Shorewall-init to save/restore ipset contents, set the
SAVE_IPSETS option in /etc/sysconfig/shorewall-init
(/etc/default/shorewall-init on Debian and derivatives). The value
of the option is a file name where the contents of the ipsets will
be save to and restored from. Shorewall-init will create any
necessary directories during the first 'save' operation.
If you configure Shorewall-init to save/restore ipsets, be sure to
set SAVE_IPSETS=No in shorewall.conf and shorewall6.conf.
---------------------------------------------------------------------------- ----------------------------------------------------------------------------
I V. R E L E A S E 4 . 4 H I G H L I G H T S I V. R E L E A S E 4 . 4 H I G H L I G H T S