From mboxrd@z Thu Jan  1 00:00:00 1970
From: Stefan Schantl <stefan.schantl@ipfire.org>
To: development@lists.ipfire.org
Subject: Re: [PATCH] rules.pl: Fix automatic ipset sets cleanup.
Date: Tue, 26 Apr 2022 05:40:03 +0200
Message-ID: <78144988c1ba4abf9f22e9f95bd593efe025478f.camel@ipfire.org>
In-Reply-To: <335d3bbf-f01e-e66f-6f3c-3c22717774d7@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============4986394162527536438=="
List-Id: <development.lists.ipfire.org>

--===============4986394162527536438==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: 8bit

Hello Peter,

> Hello Stefan,
> 
> thank you for submitting this.
> 
> Is this an important fix that has to go into Core Update 167? Or can
> it wait
> until the next Core Update?

This is not an urgent fix, we are fine to ship it with C168.

Best regards,

-Stefan
> 
> Thanks, and best regards,
> Peter Müller
> 
> 
> > The array of used/loaded ipsets needs to be reloaded before
> > the cleanup can be started to also handle sets which are loaded
> > during
> > runtime.
> > 
> > Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
> > ---
> >  config/firewall/rules.pl | 14 +++++++++++---
> >  1 file changed, 11 insertions(+), 3 deletions(-)
> > 
> > diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
> > index 649bd49f0..799b2667d 100644
> > --- a/config/firewall/rules.pl
> > +++ b/config/firewall/rules.pl
> > @@ -137,7 +137,7 @@ undef (@dummy);
> >  
> >  sub main {
> >         # Get currently used ipset sets.
> > -       &ipset_get_sets();
> > +       @ipset_used_sets = &ipset_get_sets();
> >  
> >         # Flush all chains.
> >         &flush();
> > @@ -993,6 +993,8 @@ sub firewall_chain_exists ($) {
> >  }
> >  
> >  sub ipset_get_sets () {
> > +       my @sets;
> > +
> >         # Get all currently used ipset lists and store them in an
> > array.
> >         my @output = `$IPSET -n list`;
> >  
> > @@ -1002,14 +1004,17 @@ sub ipset_get_sets () {
> >                 chomp($set);
> >  
> >                 # Add the set the array of used sets.
> > -               push(@ipset_used_sets, $set);
> > +               push(@sets, $set);
> >         }
> >  
> >         # Display used sets in debug mode.
> >         if($DEBUG) {
> >                 print "Used ipset sets:\n";
> > -               print "@ipset_used_sets\n\n";
> > +               print "@sets\n\n";
> >         }
> > +
> > +       # Return the array of sets.
> > +       return @sets;
> >  }
> >  
> >  sub ipset_restore ($) {
> > @@ -1089,6 +1094,9 @@ sub ipset_call_restore ($) {
> >  }
> >  
> >  sub ipset_cleanup () {
> > +       # Reload the array of used sets.
> > +       @ipset_used_sets = &ipset_get_sets();
> > +
> >         # Loop through the array of used sets.
> >         foreach my $set (@ipset_used_sets) {
> >                 # Check if this set is still in use.


--===============4986394162527536438==--