From mboxrd@z Thu Jan  1 00:00:00 1970
From: Tim FitzGeorge <ipfr@tfitzgeorge.me.uk>
To: development@lists.ipfire.org
Subject: Re: [PATCH 04/12] rules.pl: Destroy all ipset lists on rule reload.
Date: Tue, 15 Feb 2022 19:28:18 +0000
Message-ID: <556eea03-d196-7ac4-b1f7-aad09939918b@tfitzgeorge.me.uk>
In-Reply-To: <57AC28ED-7999-416F-80F5-1E1F6A569EB2@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0927289292723560253=="
List-Id: <development.lists.ipfire.org>

--===============0927289292723560253==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Hello,

I'm concerned about this as well.  Depending on when it does the ipset destro=
y it may be OK (for example as part of shutting down the system or prior to r=
ebuilding the firewall from scratch, as in these cases it either won't matter=
 or the OP blocklist ipsets will be reloaded), but in general I would conside=
r it a bad idea to delete all the ipsets whether or not you 'own' them - each=
 'package' should only touch it's own 'property', while this just deletes all=
 the ipsets regardless.

Having said that, I think it will probably be alright as according to the doc=
umentation ipset destroy won't delete lists which have references to them, an=
d the IP blocklist ipsets should always have references.

Tim

On 15/02/2022 12:41, Michael Tremer wrote:
> Hello,
>
> Looking at the other patchset that implements IP blocklists, could this int=
erfere with this in any way?
>
> -Michael
>
>> On 14 Feb 2022, at 18:42, Stefan Schantl <stefan.schantl(a)ipfire.org> wro=
te:
>>
>> Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
>> ---
>> config/firewall/rules.pl | 4 ++++
>> 1 file changed, 4 insertions(+)
>>
>> diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
>> index f685d08a7..da01b8775 100644
>> --- a/config/firewall/rules.pl
>> +++ b/config/firewall/rules.pl
>> @@ -31,6 +31,7 @@ require "${General::swroot}/location-functions.pl";
>> my $DEBUG =3D 0;
>>
>> my $IPTABLES =3D "iptables --wait";
>> +my $IPSET =3D "ipset";
>>
>> # iptables chains
>> my $CHAIN_INPUT           =3D "INPUTFW";
>> @@ -114,6 +115,9 @@ sub main {
>> 	# Flush all chains.
>> 	&flush();
>>
>> +	# Destroy all existing ipsets.
>> +	run("$IPSET destroy");
>> +
>> 	# Prepare firewall rules.
>> 	if (! -z  "${General::swroot}/firewall/input"){
>> 		&buildrules(\%configinputfw);
>> --=20
>> 2.30.2
>>
>


--===============0927289292723560253==--