projects
/
project
/
firewall3.git
/ blobdiff
commit
grep
author
committer
pickaxe
?
search:
re
summary
|
shortlog
|
log
|
commit
|
commitdiff
|
tree
raw
|
inline
| side by side
firewall3: fix left shift on 64 bit systems in fw3_bitlen2netmask
[project/firewall3.git]
/
ipsets.c
diff --git
a/ipsets.c
b/ipsets.c
index
b63db21
..
993cc1f
100644
(file)
--- a/
ipsets.c
+++ b/
ipsets.c
@@
-107,6
+107,11
@@
check_types(struct uci_element *e, struct fw3_ipset *ipset)
{
for (i = 0; i < ARRAY_SIZE(ipset_types); i++)
{
{
for (i = 0; i < ARRAY_SIZE(ipset_types); i++)
{
+ /* skip type for v6 if it does not support family */
+ if (ipset->family != FW3_FAMILY_V4 &&
+ !(ipset_types[i].optional & OPT_FAMILY))
+ continue;
+
if (ipset_types[i].types == typelist)
{
ipset->method = ipset_types[i].method;
if (ipset_types[i].types == typelist)
{
ipset->method = ipset_types[i].method;
@@
-178,10
+183,10
@@
check_types(struct uci_element *e, struct fw3_ipset *ipset)
}
if (!(ipset_types[i].optional & OPT_FAMILY) &&
}
if (!(ipset_types[i].optional & OPT_FAMILY) &&
- ipset->family != FW3_FAMILY_
ANY
)
+ ipset->family != FW3_FAMILY_
V4
)
{
warn_elem(e, "family ignored");
{
warn_elem(e, "family ignored");
- ipset->family = FW3_FAMILY_
ANY
;
+ ipset->family = FW3_FAMILY_
V4
;
}
}
}
}
@@
-198,16
+203,14
@@
fw3_alloc_ipset(void)
{
struct fw3_ipset *ipset;
{
struct fw3_ipset *ipset;
- ipset = malloc(sizeof(*ipset));
-
+ ipset = calloc(1, sizeof(*ipset));
if (!ipset)
return NULL;
if (!ipset)
return NULL;
- memset(ipset, 0, sizeof(*ipset));
-
INIT_LIST_HEAD(&ipset->datatypes);
ipset->enabled = true;
INIT_LIST_HEAD(&ipset->datatypes);
ipset->enabled = true;
+ ipset->family = FW3_FAMILY_V4;
return ipset;
}
return ipset;
}
@@
-254,6
+257,14
@@
fw3_load_ipsets(struct fw3_state *state, struct uci_package *p)
//{
// warn_elem(e, "has duplicated set name '%s'", ipset->name);
//}
//{
// warn_elem(e, "has duplicated set name '%s'", ipset->name);
//}
+ else if (ipset->family == FW3_FAMILY_ANY)
+ {
+ warn_elem(e, "must not have family 'any'");
+ }
+ else if (ipset->iprange.set && ipset->family != ipset->iprange.family)
+ {
+ warn_elem(e, "has iprange of wrong address family");
+ }
else if (list_empty(&ipset->datatypes))
{
warn_elem(e, "has no datatypes assigned");
else if (list_empty(&ipset->datatypes))
{
warn_elem(e, "has no datatypes assigned");
@@
-276,9
+287,6
@@
create_ipset(struct fw3_ipset *ipset, struct fw3_state *state)
struct fw3_ipset_datatype *type;
struct fw3_ipset_datatype *type;
- if (ipset->external)
- return;
-
info(" * Creating ipset %s", ipset->name);
first = true;
info(" * Creating ipset %s", ipset->name);
first = true;
@@
-290,9
+298,12
@@
create_ipset(struct fw3_ipset *ipset, struct fw3_state *state)
first = false;
}
first = false;
}
+ if (ipset->method == FW3_IPSET_METHOD_HASH)
+ fw3_pr(" family inet%s", (ipset->family == FW3_FAMILY_V4) ? "" : "6");
+
if (ipset->iprange.set)
{
if (ipset->iprange.set)
{
- fw3_pr(" range %s", fw3_address_to_string(&ipset->iprange, false));
+ fw3_pr(" range %s", fw3_address_to_string(&ipset->iprange, false
, true
));
}
else if (ipset->portrange.set)
{
}
else if (ipset->portrange.set)
{
@@
-300,9
+311,6
@@
create_ipset(struct fw3_ipset *ipset, struct fw3_state *state)
ipset->portrange.port_min, ipset->portrange.port_max);
}
ipset->portrange.port_min, ipset->portrange.port_max);
}
- if (ipset->family != FW3_FAMILY_ANY)
- fw3_pr(" family inet%s", (ipset->family == FW3_FAMILY_V4) ? "" : "6");
-
if (ipset->timeout > 0)
fw3_pr(" timeout %u", ipset->timeout);
if (ipset->timeout > 0)
fw3_pr(" timeout %u", ipset->timeout);
@@
-321,31
+329,86
@@
create_ipset(struct fw3_ipset *ipset, struct fw3_state *state)
void
fw3_create_ipsets(struct fw3_state *state)
{
void
fw3_create_ipsets(struct fw3_state *state)
{
+ int tries;
+ bool exec = false;
struct fw3_ipset *ipset;
if (state->disable_ipsets)
return;
struct fw3_ipset *ipset;
if (state->disable_ipsets)
return;
+ /* spawn ipsets */
list_for_each_entry(ipset, &state->ipsets, list)
list_for_each_entry(ipset, &state->ipsets, list)
+ {
+ if (ipset->external)
+ continue;
+
+ if (!exec)
+ {
+ exec = fw3_command_pipe(false, "ipset", "-exist", "-");
+
+ if (!exec)
+ return;
+ }
+
create_ipset(ipset, state);
create_ipset(ipset, state);
+ }
+
+ if (exec)
+ {
+ fw3_pr("quit\n");
+ fw3_command_close();
+ }
+
+ /* wait for ipsets to appear */
+ list_for_each_entry(ipset, &state->ipsets, list)
+ {
+ if (ipset->external)
+ continue;
- fw3_pr("quit\n");
+ for (tries = 0; !fw3_check_ipset(ipset) && tries < 10; tries++)
+ usleep(50000);
+ }
}
void
fw3_destroy_ipsets(struct fw3_state *state)
{
}
void
fw3_destroy_ipsets(struct fw3_state *state)
{
- struct fw3_ipset *s;
+ int tries;
+ bool exec = false;
+ struct fw3_ipset *ipset;
- list_for_each_entry(s, &state->ipsets, list)
+ /* destroy ipsets */
+ list_for_each_entry(ipset, &state->ipsets, list)
{
{
- info(" * Deleting ipset %s", s->name);
+ if (!exec)
+ {
+ exec = fw3_command_pipe(false, "ipset", "-exist", "-");
- fw3_pr("flush %s\n", s->name);
- fw3_pr("destroy %s\n", s->name);
+ if (!exec)
+ return;
+ }
+
+ info(" * Deleting ipset %s", ipset->name);
+
+ fw3_pr("flush %s\n", ipset->name);
+ fw3_pr("destroy %s\n", ipset->name);
+ }
+
+ if (exec)
+ {
+ fw3_pr("quit\n");
+ fw3_command_close();
}
}
- fw3_pr("quit\n");
+ /* wait for ipsets to disappear */
+ list_for_each_entry(ipset, &state->ipsets, list)
+ {
+ if (ipset->external)
+ continue;
+
+ for (tries = 0; fw3_check_ipset(ipset) && tries < 10; tries++)
+ usleep(50000);
+ }
}
struct fw3_ipset *
}
struct fw3_ipset *