diff options
| author | Kristian Evensen <kristian.evensen@gmail.com> | 2019-08-19 14:45:57 +0200 |
|---|---|---|
| committer | Kevin Darbyshire-Bryant <ldir@darbyshire-bryant.me.uk> | 2019-08-19 20:40:35 +0100 |
| commit | bf29c1e7e95c00953da9430e4c5144ef2b79a361 (patch) | |
| tree | f95eaa960644754e3ae044ab8de8e69b57ebc771 /main.c | |
| parent | 509e673dab011851ed084ca592c557ee395fddd4 (diff) | |
| download | firewall3-bf29c1e7e95c00953da9430e4c5144ef2b79a361.tar.gz | |
firewall3: ipset: Handle reload_set properly
The reload_set option was added in commit 509e673dab01 ("firewall3:
Improve ipset support"), and the purpose of the option is to control if
a set should be flushed or not on a firewall reload.
In some cases, the option unfortunately does not work properly. I had
fixed the errors locally, but failed to submit a v2 of "Improve ipset
support". This patch contains my local fixes, and after the following
changes are applied then the option (as well as ipset support) works as
at least I expect.
The following errors have been fixed:
* "family" was not written to the state file, causing all sets read from
this file was considered as ipv4. Save family to ensure that sets are
handled correctly on firewall reload.
* The default value of "reload_set" is false, meaning that the
reload-check in "fw3_create_ipsets()" is always true (on reload). A
consequence of this is that new sets are never created on firewall
reload. In order to ensure that new sets are created, only consider
"reload_set" if the set exists. If a set (from configuration) does not
exist, we always want to create it.
* On reload and before "fw3_destroy_ipsets()" are called, we need to
update run_state to ensure that sets are updated correctly. We need to
check if the sets in run_state is found in cfg_state, if not the set
should be destroyed (done by forcing reload_set to true). If the set is
found, then we copy the value of reload_set to the set in run_state so
that the elements are updated as the user expects.
Since we now always copy the value of reload_set from cfg_state, there
is no need to write reload_set to run_state.
Signed-off-by: Kristian Evensen <kristian.evensen@gmail.com>
Diffstat (limited to 'main.c')
| -rw-r--r-- | main.c | 1 |
1 files changed, 1 insertions, 0 deletions
@@ -354,6 +354,7 @@ reload(void) fw3_ipt_close(handle); } + fw3_ipsets_update_run_state(family, run_state, cfg_state); fw3_destroy_ipsets(run_state, family, true); family_set(run_state, family, false); |