aboutsummaryrefslogtreecommitdiffstats
path: root/main/ipset/ipset.initd
blob: 649b310ac5f64b406d5a5b0ff812115868b8db2e (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
98
99
100
101
102
103
104
105
106
107
108
109
110
111
112
113
114
115
116
117
118
119
#!/sbin/openrc-run
# Init script for ipset
# Copyright (C) 2012-2017 Kaarle Ritvanen
# Licensed under the terms of the GPL2

description="Manage IP sets in the Linux kernel"
description_save="Save firewall IP sets"
description_reload="Load firewall IP sets"

extra_started_commands="save reload"

IPSET=/usr/sbin/ipset
DIR=/etc/ipset.d
STATUS=0

ipset() {
	$IPSET $* || STATUS=1
}

set_files() {
	(cd $DIR && ls)
}

set_file() {
	grep -v ^# $DIR/$1
}

set_exists() {
	$IPSET -n list $1 &> /dev/null
}

set_lists() {
	$IPSET save | sed "s/^create \\([^ ]\\+\\) list:set.*/\\1/;ta;d;:a"
}

sets() {
	$IPSET -n list
}


depend() {
	before iptables ip6tables
}

start() {
	reload
}

stop() {
	ebegin "Flushing firewall IP sets"

	for name in $(set_lists); do
		ipset destroy $name
	done

	for name in $(sets); do
		ipset destroy $name
	done

	eend $STATUS
}

save() {
	ebegin "Saving firewall IP sets"

	ipset save | while read cmd; do
		set -- $cmd
		local action=$1
		local file=$DIR/$2
		shift 2
		if [ "$action" = create ]; then
			echo $* > $file
		elif [ "$action" = add ]; then
			echo $* >> $file
		fi
	done

	for name in $(set_files); do
		set_exists $name || rm -f $DIR/$name
	done

	eend $STATUS
}

reload() {
	ebegin "Loading firewall IP sets"

	local swap=
	for name in $(set_files); do
		local new=$name
		if set_exists $name; then
			new=_init_$name
			swap="$swap $name"
		fi
		echo create $new $(set_file $name | head -n 1)
	done | ipset restore

	(
		for name in $(set_files); do
			local new=$name
			set_exists _init_$name && new=_init_$name
			set_file $name | sed "1d;s/^/add $new /"
		done

		for name in $swap; do
			echo swap $name _init_$name
		done
	) | ipset restore

	for name in $(set_lists); do
		[ -f $DIR/$name ] || echo destroy $name
	done | ipset restore

	for name in $(sets); do
		[ -f $DIR/$name ] || echo destroy $name
	done | ipset restore

	eend $STATUS
}