From: Erik Kapfer Date: Thu, 1 Feb 2024 14:29:50 +0000 (+0100) Subject: rules.pl: Extend firewall.local to use also IPSet set. X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=refs%2Fheads%2Ffirewall_local_ipset;p=people%2Fummeegge%2Fipfire-2.x.git rules.pl: Extend firewall.local to use also IPSet set. Fixes Bug: #13563 Since rules.pl does not load potential IPSet set in firewall.local, the clean up function in rules.pl tries to destroy them while an firewall restart. Signed-off-by: Erik Kapfer --- diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 7edb910e2d..de5cb971f3 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -89,6 +89,7 @@ my $locationfile = "${General::swroot}/firewall/locationblock"; my $configgrp = "${General::swroot}/fwhosts/customgroups"; my $netsettings = "${General::swroot}/ethernet/settings"; my $blocklistfile = "${General::swroot}/ipblocklist/settings"; +my $fwlocal = "/etc/sysconfig/firewall.local"; &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); &General::readhash("${General::swroot}/optionsfw/settings", \%fwoptions); @@ -163,6 +164,9 @@ sub main { # Handle ipblocklist. &ipblocklist(); + # Handle firewall.local. + &fwlocal_sets(); + # Reload firewall policy. run("/usr/sbin/firewall-policy"); @@ -788,6 +792,34 @@ sub ipblocklist () { } } ++# Check if firewall.local uses IPSet sets and if so, load the set names. +sub fwlocal_sets { + # Open firewall.local to loop through it. + open(my $FWL, "<", $fwlocal) or die "can not open $fwlocal:"; + + # Variable to store potential set names. + my %fwlocalsets; + + # If firewall.local includes IPSet set, search for the set names. + while (my $fwlsets = <$FWL>) { + chomp $fwlsets; + while ($fwlsets =~ /--match-set\s+(\S+)/g) { + my $fwlsetnames = $1; + $fwlocalsets{$fwlsetnames} = 1; + } + } + + # Close firewall.local. + close($FWL); + + # Include firewall.local IPSet sets to load them. + foreach my $fwlsetnames (keys %fwlocalsets) { + + # Call function to restore/local the set. + &ipset_restore($fwlsetnames); + } +} + sub get_protocols { my $hash = shift; my $key = shift;