blob: fdca0a15f4075b054caf22d639356aa4c4b51d78 (
plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
|
#!/sbin/runscript
# Init script for ipset
# Copyright (C) 2012 Kaarle Ritvanen
# Licensed under the terms of the GPL2
extra_started_commands="save reload"
IPSET=/usr/sbin/ipset
DIR=/etc/ipset.d
STATUS=0
ipset() {
$IPSET $* || STATUS=1
}
set_files() {
(cd $DIR && ls)
}
set_file() {
grep -v ^# $DIR/$1
}
set_exists() {
$IPSET save $1 &> /dev/null
}
sets() {
$IPSET save | sed "s/^create \\([^ ]\\+\\) ${1:+$1 }.*/\\1/;ta;d;:a"
}
depend() {
before iptables ip6tables
}
start() {
reload
}
stop() {
ebegin "Flushing firewall IP sets"
for name in $(sets list:set); do
ipset destroy $name
done
for name in $(sets); do
ipset destroy $name
done
eend $STATUS
}
save() {
ebegin "Saving firewall IP sets"
ipset save | while read cmd; do
set -- $cmd
local action=$1
local file=$DIR/$2
shift 2
if [ "$action" = create ]; then
echo $* > $file
elif [ "$action" = add ]; then
echo $* >> $file
fi
done
for name in $(set_files); do
set_exists $name || rm -f $DIR/$name
done
eend $STATUS
}
reload() {
ebegin "Loading firewall IP sets"
local swap=
for name in $(set_files); do
local new=$name
if set_exists $name; then
new=_init_$name
swap="$swap $name"
fi
ipset create $new $(set_file $name | head -n 1)
done
for name in $(set_files); do
local new=$name
set_exists _init_$name && new=_init_$name
set_file $name | tail -n +2 | while read m; do
ipset add $new $m
done
done
for name in $swap; do
ipset swap $name _init_$name
done
for name in $(sets list:set); do
[ -f $DIR/$name ] || ipset destroy $name
done
for name in $(sets); do
[ -f $DIR/$name ] || ipset destroy $name
done
eend $STATUS
}
|
