From bf29c1e7e95c00953da9430e4c5144ef2b79a361 Mon Sep 17 00:00:00 2001 From: Kristian Evensen Date: Mon, 19 Aug 2019 14:45:57 +0200 Subject: firewall3: ipset: Handle reload_set properly The reload_set option was added in commit 509e673dab01 ("firewall3: Improve ipset support"), and the purpose of the option is to control if a set should be flushed or not on a firewall reload. In some cases, the option unfortunately does not work properly. I had fixed the errors locally, but failed to submit a v2 of "Improve ipset support". This patch contains my local fixes, and after the following changes are applied then the option (as well as ipset support) works as at least I expect. The following errors have been fixed: * "family" was not written to the state file, causing all sets read from this file was considered as ipv4. Save family to ensure that sets are handled correctly on firewall reload. * The default value of "reload_set" is false, meaning that the reload-check in "fw3_create_ipsets()" is always true (on reload). A consequence of this is that new sets are never created on firewall reload. In order to ensure that new sets are created, only consider "reload_set" if the set exists. If a set (from configuration) does not exist, we always want to create it. * On reload and before "fw3_destroy_ipsets()" are called, we need to update run_state to ensure that sets are updated correctly. We need to check if the sets in run_state is found in cfg_state, if not the set should be destroyed (done by forcing reload_set to true). If the set is found, then we copy the value of reload_set to the set in run_state so that the elements are updated as the user expects. Since we now always copy the value of reload_set from cfg_state, there is no need to write reload_set to run_state. Signed-off-by: Kristian Evensen --- main.c | 1 + 1 file changed, 1 insertion(+) (limited to 'main.c') diff --git a/main.c b/main.c index 8d9a2e8..7ad00b4 100644 --- a/main.c +++ b/main.c @@ -354,6 +354,7 @@ reload(void) fw3_ipt_close(handle); } + fw3_ipsets_update_run_state(family, run_state, cfg_state); fw3_destroy_ipsets(run_state, family, true); family_set(run_state, family, false); -- cgit v1.2.1