From a61e0c9a5fb77a863de115251f906455bd1c9161 Mon Sep 17 00:00:00 2001 From: Erik Kapfer Date: Thu, 1 Feb 2024 15:29:50 +0100 Subject: [PATCH] rules.pl: Extend firewall.local to use also IPSet set. Fixes Bug: #13563 Since rules.pl does not load potential IPSet set in firewall.local, the clean up function in rules.pl tries to destroy them while an firewall restart. Signed-off-by: Erik Kapfer --- config/firewall/rules.pl | 32 ++++++++++++++++++++++++++++++++ 1 file changed, 32 insertions(+) diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index 7edb910e2d..de5cb971f3 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -89,6 +89,7 @@ my $locationfile = "${General::swroot}/firewall/locationblock"; my $configgrp = "${General::swroot}/fwhosts/customgroups"; my $netsettings = "${General::swroot}/ethernet/settings"; my $blocklistfile = "${General::swroot}/ipblocklist/settings"; +my $fwlocal = "/etc/sysconfig/firewall.local"; &General::readhash("${General::swroot}/firewall/settings", \%fwdfwsettings); &General::readhash("${General::swroot}/optionsfw/settings", \%fwoptions); @@ -163,6 +164,9 @@ sub main { # Handle ipblocklist. &ipblocklist(); + # Handle firewall.local. + &fwlocal_sets(); + # Reload firewall policy. run("/usr/sbin/firewall-policy"); @@ -788,6 +792,34 @@ sub ipblocklist () { } } ++# Check if firewall.local uses IPSet sets and if so, load the set names. +sub fwlocal_sets { + # Open firewall.local to loop through it. + open(my $FWL, "<", $fwlocal) or die "can not open $fwlocal:"; + + # Variable to store potential set names. + my %fwlocalsets; + + # If firewall.local includes IPSet set, search for the set names. + while (my $fwlsets = <$FWL>) { + chomp $fwlsets; + while ($fwlsets =~ /--match-set\s+(\S+)/g) { + my $fwlsetnames = $1; + $fwlocalsets{$fwlsetnames} = 1; + } + } + + # Close firewall.local. + close($FWL); + + # Include firewall.local IPSet sets to load them. + foreach my $fwlsetnames (keys %fwlocalsets) { + + # Call function to restore/local the set. + &ipset_restore($fwlsetnames); + } +} + sub get_protocols { my $hash = shift; my $key = shift; -- 2.47.2