This commit allows the ipset_restore() function to auto-detect which set file needs to be restored.
Currently it is limitated to country codes only, because we currently does not support anything else.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- config/firewall/rules.pl | 14 ++++++++++++-- 1 file changed, 12 insertions(+), 2 deletions(-)
diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl index b12764d18..b8c602538 100644 --- a/config/firewall/rules.pl +++ b/config/firewall/rules.pl @@ -945,8 +945,9 @@ sub ipset_get_sets () { sub ipset_restore ($) { my ($set) = @_;
- my $file_prefix = "ipset4"; - my $db_file = "$Location::Functions::ipset_db_directory/$set.$file_prefix"; + # Empty variable to store the db file, which should be + # restored by ipset. + my $db_file;
# Check if the set already has been loaded. if($ipset_loaded_sets{$set}) { @@ -954,6 +955,15 @@ sub ipset_restore ($) { return; }
+ # Check if the given set name is a country code. + if($set ~~ @locations) { + # Libloc adds "ipset4" as prefix to all exported IPv4 data. + my $file_prefix = "ipset4"; + + # Generate full path and filename for the ipset db file to restore. + $db_file = "$Location::Functions::ipset_db_directory/$set.$file_prefix"; + } + # Check if the generated file exists. if (-f $db_file) { # Run ipset and restore the given set.
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org --- config/firewall/firewall-lib.pl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl index f4089a3a0..7d35d5686 100644 --- a/config/firewall/firewall-lib.pl +++ b/config/firewall/firewall-lib.pl @@ -466,7 +466,7 @@ sub get_address # Get external interface. my $external_interface = &get_external_interface();
- push(@ret, ["-m set --match-set CC_$value src", "$external_interface"]); + push(@ret, ["-m set --match-set $value src", "$external_interface"]); }
# Handle rule options with a location as target. @@ -476,7 +476,7 @@ sub get_address # Get external interface. my $external_interface = &get_external_interface();
- push(@ret, ["-m set --match-set CC_$value dst", "$external_interface"]); + push(@ret, ["-m set --match-set $value dst", "$external_interface"]); }
# If nothing was selected, we assume "any".
Hello Stefan,
Thank you for this patch. It is however already obsolete due to my changes to libloc:
https://lists.ipfire.org/pipermail/location/2022-March/000536.html
Could you please send some follow-up patches that update this to the latest naming convention?
Would you also take care of packaging libloc for IPFire 2?
Best, -Michael
On 2 Mar 2022, at 19:43, Stefan Schantl stefan.schantl@ipfire.org wrote:
Signed-off-by: Stefan Schantl stefan.schantl@ipfire.org
config/firewall/firewall-lib.pl | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-)
diff --git a/config/firewall/firewall-lib.pl b/config/firewall/firewall-lib.pl index f4089a3a0..7d35d5686 100644 --- a/config/firewall/firewall-lib.pl +++ b/config/firewall/firewall-lib.pl @@ -466,7 +466,7 @@ sub get_address # Get external interface. my $external_interface = &get_external_interface();
push(@ret, ["-m set --match-set CC_$value src", "$external_interface"]);
push(@ret, ["-m set --match-set $value src", "$external_interface"]);}
# Handle rule options with a location as target.
@@ -476,7 +476,7 @@ sub get_address # Get external interface. my $external_interface = &get_external_interface();
push(@ret, ["-m set --match-set CC_$value dst", "$external_interface"]);
push(@ret, ["-m set --match-set $value dst", "$external_interface"]);}
# If nothing was selected, we assume "any".
-- 2.30.2
-
Michael Tremer -
Stefan Schantl