From: Stefan Schantl Date: Fri, 14 Apr 2023 16:28:04 +0000 (+0200) Subject: firewall: Use cleanup_ipsets() function from ipset-functions library X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=b58eeafced870d50cd86a37d41e34129573df1a4;p=people%2Fstevee%2Fipfire-2.x.git firewall: Use cleanup_ipsets() function from ipset-functions library Asking the kernel for all known sets and unloading unused ones is a much smarter approach than the old one. Signed-off-by: Stefan Schantl --- diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 6c08feb863..daebea01a6 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -27,6 +27,7 @@ require "${General::swroot}/lang.pl"; require "/usr/lib/firewall/firewall-lib.pl"; require "${General::swroot}/location-functions.pl"; require "${General::swroot}/ipblocklist-functions.pl"; +require "${General::swroot}/ipset-functions.pl"; # Set to one to enable debugging mode. my $DEBUG = 0; @@ -136,9 +137,6 @@ undef (@dummy); &main(); sub main { - # Get currently used ipset sets. - @ipset_used_sets = &ipset_get_sets(); - # Flush all chains. &flush(); @@ -166,7 +164,7 @@ sub main { run("/usr/sbin/firewall-policy"); # Cleanup not longer needed ipset sets. - &ipset_cleanup(); + &IPSet::Functions::cleanup_ipsets(); #Reload firewall.local if present if ( -f '/etc/sysconfig/firewall.local'){ @@ -1108,20 +1106,3 @@ sub ipset_call_restore ($) { run("$IPSET restore -f $file"); } } - -sub ipset_cleanup () { - # Reload the array of used sets. - @ipset_used_sets = &ipset_get_sets(); - - # Loop through the array of used sets. - foreach my $set (@ipset_used_sets) { - # Check if this set is still in use. - # - # In this case an entry in the loaded sets hash exists. - unless($ipset_loaded_sets{$set}) { - # Entry does not exist, so this set is not longer - # used and can be destroyed. - run("$IPSET destroy $set"); - } - } -}