From mboxrd@z Thu Jan 1 00:00:00 1970 From: Michael Tremer To: development@lists.ipfire.org Subject: Re: [PATCH 1/2] rules.pl: Allow dynamic destory of loaded but unused ipset sets. Date: Tue, 01 Mar 2022 13:23:22 +0000 Message-ID: In-Reply-To: <20220227134903.1828-1-stefan.schantl@ipfire.org> MIME-Version: 1.0 Content-Type: multipart/mixed; boundary="===============7367569328163969458==" List-Id: --===============7367569328163969458== Content-Type: text/plain; charset="utf-8" Content-Transfer-Encoding: quoted-printable Hello, > On 27 Feb 2022, at 13:49, Stefan Schantl wrot= e: >=20 > Instead of stupidly destroying all ipsets, we now grab the already loaded s= ets > and compare them with the loaded sets during runtime of the script. >=20 > So we are now able to determine which sets are not longer required and > safely can destroy (unload) at a later time. >=20 > This saves us from taking care about dropping/flushing rules which are > based on ipset before we can destroy them - because only unused sets are > affected. >=20 > Signed-off-by: Stefan Schantl > Inspired-by: Tim FitzGeorge LOL. This isn=E2=80=99t an official tag :) But nevertheless: Reviewed-by: Michael Tremer > --- > config/firewall/rules.pl | 68 ++++++++++++++++++++++++++++++---------- > 1 file changed, 52 insertions(+), 16 deletions(-) >=20 > diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl > index 927c1f2ba..7a7c8ed31 100644 > --- a/config/firewall/rules.pl > +++ b/config/firewall/rules.pl > @@ -70,7 +70,8 @@ my %confignatfw=3D(); > my %locationsettings =3D ( > "LOCATIONBLOCK_ENABLED" =3D> "off" > ); > -my %loaded_ipset_lists=3D(); > +my %ipset_loaded_sets =3D (); > +my @ipset_used_sets =3D (); >=20 > my $configfwdfw =3D "${General::swroot}/firewall/config"; > my $configinput =3D "${General::swroot}/firewall/input"; > @@ -114,12 +115,12 @@ undef (@dummy); > &main(); >=20 > sub main { > + # Get currently used ipset sets. > + &ipset_get_sets(); > + > # Flush all chains. > &flush(); >=20 > - # Destroy all existing ipsets. > - run("$IPSET destroy"); > - > # Prepare firewall rules. > if (! -z "${General::swroot}/firewall/input"){ > &buildrules(\%configinputfw); > @@ -137,6 +138,9 @@ sub main { > # Reload firewall policy. > run("/usr/sbin/firewall-policy"); >=20 > + # Cleanup not longer needed ipset sets. > + &ipset_cleanup(); > + > #Reload firewall.local if present > if ( -f '/etc/sysconfig/firewall.local'){ > run("/etc/sysconfig/firewall.local reload"); > @@ -189,9 +193,6 @@ sub flush { > run("$IPTABLES -t nat -F $CHAIN_NAT_SOURCE"); > run("$IPTABLES -t nat -F $CHAIN_NAT_DESTINATION"); > run("$IPTABLES -t mangle -F $CHAIN_MANGLE_NAT_DESTINATION_FIX"); > - > - # Flush LOCATIONBLOCK chain. > - run("$IPTABLES -F LOCATIONBLOCK"); > } >=20 > sub buildrules { > @@ -639,7 +640,8 @@ sub time_convert_to_minutes { > } >=20 > sub locationblock { > - # The LOCATIONBLOCK chain now gets flushed by the flush() function. > + # Flush LOCATIONBLOCK chain. > + run("$IPTABLES -F LOCATIONBLOCK"); >=20 > # If location blocking is not enabled, we are finished here. > if ($locationsettings{'LOCATIONBLOCK_ENABLED'} ne "on") { > @@ -669,7 +671,7 @@ sub locationblock { > &ipset_restore($location); >=20 > # Call iptables and create rule to use the loaded ipset list. > - run("$IPTABLES -A LOCATIONBLOCK -m set --match-set CC_$location src -j = DROP"); > + run("$IPTABLES -A LOCATIONBLOCK -m set --match-set $location src -j DRO= P"); > } > } > } > @@ -887,24 +889,58 @@ sub firewall_is_in_subnet { > return 0; > } >=20 > +sub ipset_get_sets () { > + # Get all currently used ipset lists and store them in an array. > + my @output =3D `$IPSET -n list`; > + > + # Loop through the temporary array. > + foreach my $set (@output) { > + # Remove any newlines. > + chomp($set); > + > + # Add the set the array of used sets. > + push(@ipset_used_sets, $set); > + } > + > + # Display used sets in debug mode. > + if($DEBUG) { > + print "Used ipset sets:\n"; > + print "@ipset_used_sets\n\n"; > + } > +} > + > sub ipset_restore ($) { > - my ($list) =3D @_; > + my ($set) =3D @_; >=20 > my $file_prefix =3D "ipset4"; > - my $db_file =3D "$Location::Functions::ipset_db_directory/$list.$file_pre= fix"; > + my $db_file =3D "$Location::Functions::ipset_db_directory/$set.$file_pref= ix"; >=20 > - # Check if the network list already has been loaded. > - if($loaded_ipset_lists{$list}) { > + # Check if the set already has been loaded. > + if($ipset_loaded_sets{$set}) { > # It already has been loaded - so there is nothing to do. > return; > } >=20 > # Check if the generated file exists. > if (-f $db_file) { > - # Run ipset and restore the list of the given country code. > + # Run ipset and restore the given set. > run("$IPSET restore < $db_file"); >=20 > - # Store the restored list name to the hash to prevent from loading it ag= ain. > - $loaded_ipset_lists{$list} =3D "1"; > + # Store the restored set to the hash to prevent from loading it again. > + $ipset_loaded_sets{$set} =3D "1"; > + } > +} > + > +sub ipset_cleanup () { > + # Loop through the array of used sets. > + foreach my $set (@ipset_used_sets) { > + # Check if this set is still in use. > + # > + # In this case an entry in the loaded sets hash exists. > + unless($ipset_loaded_sets{$set}) { > + # Entry does not exist, so this set is not longer > + # used and can be destroyed. > + run("$IPSET destroy $set"); > + } > } > } > --=20 > 2.30.2 >=20 --===============7367569328163969458==--