diff --git a/.gitignore b/.gitignore index 0ad1a0f..39a9ee1 100644 --- a/.gitignore +++ b/.gitignore @@ -1 +1 @@ -SOURCES/ipset-6.29.tar.bz2 +SOURCES/ipset-6.38.tar.bz2 diff --git a/.ipset.metadata b/.ipset.metadata index 0a33019..9e70132 100644 --- a/.ipset.metadata +++ b/.ipset.metadata @@ -1 +1 @@ -fa11b387716544c798bc9549cedbd8dbee471605 SOURCES/ipset-6.29.tar.bz2 +7e5a25c449067e95c2e3a2c60768a1e301f12458 SOURCES/ipset-6.38.tar.bz2 diff --git a/SOURCES/ipset.start-stop b/SOURCES/ipset.start-stop index dd7071f..6c84bd3 100644 --- a/SOURCES/ipset.start-stop +++ b/SOURCES/ipset.start-stop @@ -1,210 +1,243 @@ -#!/bin/bash +#!/bin/sh # # ipset Start and stop ipset firewall sets # -# config: /etc/ipset/ipset -# +# config: /etc/sysconfig/ipset-config -IPSET=ipset -IPSET_BIN=/usr/sbin/${IPSET} -IPSET_DATA=/etc/sysconfig/${IPSET} +IPSET_BIN=/usr/sbin/ipset IPSET_CONFIG=/etc/sysconfig/ipset-config +IPSET_DATA_COMPAT=/etc/sysconfig/ipset +IPSET_DATA_COMPAT_BACKUP=${IPSET_DATA_COMPAT}.save +IPSET_DATA_DIR=/etc/sysconfig/ipset.d +IPSET_DATA_DIR_BACKUP=${IPSET_DATA_DIR}.save +IPSET_DATA_SAVED_FLAG=${IPSET_DATA_DIR}/.saved +IPSET_LOCK=/run/ipset.lock +IPSET_RUN=/run/ipset.run +CLEAN_FILES="" -TMP_FIFO=/tmp/${IPSET}.$$ - -if [[ ! -x ${IPSET_BIN} ]]; then - echo "${IPSET_BIN} does not exist." - exit 5 -fi +trap "rm -rf \${CLEAN_FILES}" EXIT -CLEAN_FILES=TMP_FIFO -trap "rm -f \$CLEAN_FILES" EXIT +[ -x ${IPSET_BIN} ] || { echo "ipset: Cannot execute ${IPSET_BIN}" >&2; exit 5; } -# Load ipset configuration -[[ -f "$IPSET_CONFIG" ]] && . "$IPSET_CONFIG" +# Source ipset configuration +[ -f ${IPSET_CONFIG} ] && . ${IPSET_CONFIG} -# Default ipset configuration: -[[ -z $IPSET_SAVE_ON_STOP ]] && IPSET_SAVE_ON_STOP=no +set -f -check_can_unload() { - # If the xt_set module is loaded and can't be unloaded, then iptables is - # using ipsets, so refuse to stop the service. - if [[ -n $(lsmod | grep "^xt_set ") ]]; then - rmmod xt_set 2>/dev/null - [[ $? -ne 0 ]] && echo Current iptables configuration requires ipsets && return 1 - fi - - return 0 +lock() { + CLEAN_FILES="${CLEAN_FILES} ${IPSET_LOCK}" + until mkdir ${IPSET_LOCK} 2>/dev/null; do :; done } -flush_n_delete() { - local ret=0 set - - # Flush sets - ${IPSET_BIN} flush - let ret+=$? +save() { + fail=0 + + # Make backups of existing configuration first, if any + [ -d ${IPSET_DATA_DIR} ] && mv -Tf ${IPSET_DATA_DIR} ${IPSET_DATA_DIR_BACKUP} + [ -f ${IPSET_DATA_COMPAT} ] && mv -Tf ${IPSET_DATA_COMPAT} ${IPSET_DATA_COMPAT_BACKUP} + + rm -f ${IPSET_DATA_SAVED_FLAG} + + # Save each set in a separate file + mkdir -pm 700 ${IPSET_DATA_DIR} + IFS=" +" + for set in $(${IPSET_BIN} list -n -t); do + # Empty name allowed, use ".set" as suffix. 'ipset save' doesn't + # quote set names with spaces: if we have a space in the name, + # work around this by quoting it ourselves in the output. + if expr index "${set}" " " >/dev/null; then + :> "${IPSET_DATA_DIR}/${set}.set" + for line in $(${IPSET_BIN} save "${set}"); do + create=0 + echo "${line}" | grep -q "^create " && create=1 + if [ $create -eq 1 ]; then + line=${line#create *} + else + line=${line#add *} + fi + line=${line#${set} *} + set="$(echo ${set} | sed 's/"/\\"/'g)" + if [ $create -eq 1 ]; then + echo "create \"${set}\" ${line}" >> "${IPSET_DATA_DIR}/${set}.set" + else + echo "add \"${set}\" ${line}" >> "${IPSET_DATA_DIR}/${set}.set" + fi + done + else + ${IPSET_BIN} save "${set}" > "${IPSET_DATA_DIR}/${set}.set" || fail=1 + fi + [ -f "${IPSET_DATA_DIR}/${set}.set" ] && chmod 600 "${IPSET_DATA_DIR}/${set}.set" + [ $fail -eq 1 ] && echo "ipset: Cannot save set ${set}" >&2 && unset IFS && return 1 + done + touch ${IPSET_DATA_SAVED_FLAG} || { unset IFS; return 1; } + unset IFS - # Delete ipset sets. If we don't do them individually, then none - # will be deleted unless they all can be. - for set in $(${IPSET_BIN} list -name); do - ${IPSET_BIN} destroy 2>/dev/null - [[ $? -ne 0 ]] && ret=1 - done + # Done: remove backups + rm -rf ${IPSET_DATA_DIR_BACKUP} + rm -rf ${IPSET_DATA_COMPAT_BACKUP} - return $ret + return 0 } -start_clean() -{ - mkfifo -m go= "${TMP_FIFO}" - [[ $? -ne 0 ]] && return 1 - - # Get the lists of sets in current(old) config and new config - old_sets="$(${IPSET_BIN} list -name | sort -u)" - new_sets="$(grep ^create "${IPSET_DATA}" | cut -d " " -f 2 | sort -u)" - - # List of sets no longer wanted - drop_sets="$( printf "%s\n" "${old_sets}" > "${TMP_FIFO}" & - printf "%s\n" "${new_sets}" | comm -23 "${TMP_FIFO}" - - )" - - # Get rid of sets no longer needed - # Unfortunately -! doesn't work for destroy, so we have to do it a command at a time - for dset in $drop_sets; do - ipset destroy $dset 2>/dev/null - # If it won't go - ? in use by iptables, just clear it - [[ $? -ne 0 ]] && ipset flush $dset - done +load() { + if [ -f ${IPSET_DATA_SAVED_FLAG} ]; then + # If we have a cleanly saved directory with all sets, we can + # delete any left-overs and use it + rm -rf ${IPSET_DATA_DIR_BACKUP} + rm -f ${IPSET_DATA_COMPAT_BACKUP} + else + # If sets weren't cleanly saved, restore from backups + [ -d ${IPSET_DATA_DIR_BACKUP} ] && rm -rf ${IPSET_DATA_DIR} && mv -Tf ${IPSET_DATA_DIR_BACKUP} ${IPSET_DATA_DIR} + [ -f ${IPSET_DATA_COMPAT_BACKUP} ] && rm -f ${IPSET_DATA_COMPAT} && mv -Tf ${IPSET_DATA_COMPAT_BACKUP} ${IPSET_DATA_COMPAT} + fi - # Now delete the set members no longer required - ${IPSET_BIN} save | grep "^add " | sort >${TMP_FIFO} & - grep "^add " ${IPSET_DATA} | sort | comm -23 ${TMP_FIFO} - | sed -e "s/^add /del /" \ - | ${IPSET_BIN} restore -! + if [ ! -d ${IPSET_DATA_DIR} -a ! -f ${IPSET_DATA_COMPAT} ]; then + echo "ipset: No existing configuration available, none loaded" + touch ${IPSET_RUN} + return + fi - # At last we can add the set members we haven't got - ipset restore -! <${IPSET_DATA} + # Merge all sets into temporary file + merged="$(mktemp -q /tmp/ipset.XXXXXX)" + CLEAN_FILES="${CLEAN_FILES} ${merged}" + chmod 600 "${merged}" + set +f + if [ -d ${IPSET_DATA_DIR} ]; then + for f in ${IPSET_DATA_DIR}/*; do + [ "${f}" = "${IPSET_DATA_DIR}/*" ] && break + cat "${f}" >> ${merged} + done + fi + set -f + [ -f ${IPSET_DATA_COMPAT} ] && cat ${IPSET_DATA_COMPAT} >> ${merged} + + # Drop sets that aren't in saved data, mark conflicts with existing sets + conflicts="" + IFS=" +" + for set in $(${IPSET_BIN} list -n -t); do + grep -q "^create ${set} " ${merged} && conflicts="${conflicts}|${set}" && continue + ${IPSET_BIN} destroy "${set}" 2>/dev/null + # We can't destroy the set if it's in use, flush it instead + [ $? -ne 0 ] && ${IPSET_BIN} flush "${set}" + done + unset IFS + conflicts="${conflicts#|*}" + + # Common case: if we have no conflicts, just restore in one shot + if [ -z "${conflicts}" ]; then + ${IPSET_BIN} restore -! < ${merged} + [ $? -ne 0 ] && echo "ipset: Failed to restore configured sets" >&2 + rm ${merged} + CLEAN_FILES="${CLEAN_FILES%* ${merged}}" + touch ${IPSET_RUN} + return + fi - rm ${TMP_FIFO} + # Find a salt for md5sum that makes names of saved sets unique + salt=0 + while true; do + unique=1 + IFS=" +" + for set in $(${IPSET_BIN} list -n -t); do + grep -q "^create $(echo ${salt}${set} | md5sum | head -c31) " ${merged} + [ $? -eq 0 ] && unique=0 && break + done + unset IFS + [ ${unique} -eq 1 ] && break + salt=$((salt + 1)) + done + + # Add sets, mangling names for conflicting sets + awk '/^(add|create) ('"${conflicts}"')/ { printf "%s ",$1; system("echo '${salt}'" $2 " | md5sum | head -c31"); $1=""; $2=""; print; next} {print}' ${merged} | ${IPSET_BIN} restore -! + + [ $? -ne 0 ] && echo "ipset: Failed to restore configured sets" >&2 + + # Swap and delete old sets + IFS='|' + for set in ${conflicts}; do + mangled="$(echo ${salt}${set} | md5sum | head -c31)" + ${IPSET_BIN} swap "${set}" "${mangled}" 2>/dev/null + if [ $? -ne 0 ]; then + # This fails if set types are different: try to destroy + # existing set + ${IPSET_BIN} destroy "${set}" 2>/dev/null + if [ $? -ne 0 ]; then + # Conflicting set is in use, we can only warn + # and flush the existing set + echo "ipset: Cannot load set \"${set}\", set with same name and conflicting type in use" >&2 + ${IPSET_BIN} flush "${set}" + ${IPSET_BIN} destroy "${mangled}" + else + ${IPSET_BIN} rename "${mangled}" "${set}" + fi + else + ${IPSET_BIN} destroy "${mangled}" + fi + done + unset IFS - return 0 + rm ${merged} + CLEAN_FILES="${CLEAN_FILES%* ${merged}}" + touch ${IPSET_RUN} } -start() { - # Do not start if there is no config file. - [[ ! -f "$IPSET_DATA" ]] && echo "Loaded with no configuration" && return 0 - - # We can skip the first bit and do a simple load if - # there is no current ipset configuration - res=1 - if [[ -n $(${IPSET_BIN} list -name) ]]; then - # The following may fail for some bizarre reason - start_clean - res=$? - - [[ $res -ne 0 ]] && echo "Some old configuration may remain" - fi - - # res -ne 0 => either start_clean failed, or we didn't need to run it - if [[ $res -ne 0 ]]; then - # This is the easy way to start but would leave any old - # entries still configured. Still, better than nothing - - # but fine if we had no config - ${IPSET_BIN} restore -! <${IPSET_DATA} - res=$? - fi - - if [[ $res -ne 0 ]]; then - return 1 - fi - - return 0 +cleanup() { + ${IPSET_BIN} flush || echo "ipset: Failed to flush sets" >&2 + + # Try to destroy all sets at once. This will fail if some are in use, + # destroy all the other ones in that case + ${IPSET_BIN} destroy 2>/dev/null && return + IFS=" +" + for set in $(${IPSET_BIN} list -n -t); do + ${IPSET_BIN} destroy "${set}" 2>/dev/null + done + unset IFS } stop() { - # Nothing to stop if ip_set module is not loaded. - lsmod | grep -q "^ip_set " - [[ $? -ne 0 ]] && return 6 - - flush_n_delete - [[ $? -ne 0 ]] && echo Warning: Not all sets were flushed/deleted - - return 0 -} - -save() { - # Do not save if ip_set module is not loaded. - lsmod | grep -q "^ip_set " - [[ $? -ne 0 ]] && return 6 - - if [[ -z $(${IPSET_BIN} list -name) ]]; then - if [[ -f $IPSET_DATA ]]; then - mv $IPSET_DATA $IPSET_DATA.save && chmod 600 $IPSET_DATA.save \ - || return 1 - fi - return 0 - fi - - ret=0 - TMP_FILE=$(/bin/mktemp -q /tmp/$IPSET.XXXXXX) \ - && CLEAN_FILES+=" $TMP_FILE" \ - && chmod 600 "$TMP_FILE" \ - && ${IPSET_BIN} save > $TMP_FILE 2>/dev/null \ - && [[ -s $TMP_FILE ]] \ - || ret=1 - - if [[ $ret -eq 0 ]]; then - # No need to do anything if the files are the same - if [[ ! -f $IPSET_DATA ]]; then - mv $TMP_FILE $IPSET_DATA && chmod 600 $IPSET_DATA || ret=1 - else - diff -q $TMP_FILE $IPSET_DATA >/dev/null - - if [[ $? -ne 0 ]]; then - if [[ -f $IPSET_DATA ]]; then - cp -f --preserve=timestamps $IPSET_DATA $IPSET_DATA.save \ - && chmod 600 $IPSET_DATA.save \ - || ret=1 - fi - if [[ $ret -eq 0 ]]; then - cp -f --preserve=timestamps $TMP_FILE $IPSET_DATA \ - && chmod 600 $IPSET_DATA \ - || ret=1 + [ -f ${IPSET_RUN} ] || { echo "ipset: not running"; return 0; } + [ "${IPSET_SAVE_ON_STOP}" = "yes" ] && { save || echo "ipset: Failed to save sets"; } + + # Nothing to stop if the ip_set module is not loaded + lsmod | grep -q "^ip_set " || { echo "ipset: not running"; rm ${IPSET_RUN}; return 0; } + + # If the xt_set module is in use, then iptables is using ipset, so + # refuse to stop the service + mod="$(lsmod | grep ^xt_set)" + if [ $? -eq 0 ]; then + if [ "$(echo ${mod} | tr -s ' ' | cut -d' ' -f3)" != "0" ]; then + echo "ipset: Current iptables configuration requires ipset" >&2 && return 1 fi - fi fi - fi - rm -f $TMP_FILE - return $ret -} + cleanup + rm ${IPSET_RUN} + return 0 +} +lock case "$1" in - start) - start - RETVAL=$? +start) + load ;; - stop) - check_can_unload || exit 1 - [[ $IPSET_SAVE_ON_STOP = yes ]] && save +stop) stop - RETVAL=$? - [[ $RETVAL -eq 6 ]] && echo "${IPSET}: not running" && exit 0 ;; - reload) - stop - RETVAL=$? - [[ $RETVAL -eq 6 ]] && echo "${IPSET}: not running" && exit 0 - start - RETVAL=$? +reload) + cleanup + load + ;; +save) + save ;; - save) - save - RETVAL=$? - ;; - *) - echo "Usage: $IPSET {start|stop|reload}" >&2 +*) + echo "Usage: $0 {start|stop|reload|save}" >&2 exit 1 esac -exit $RETVAL +exit $? diff --git a/SPECS/ipset.spec b/SPECS/ipset.spec index 976e03c..bbcf667 100644 --- a/SPECS/ipset.spec +++ b/SPECS/ipset.spec @@ -2,8 +2,8 @@ %define legacy_actions %{_libexecdir}/initscripts/legacy-actions Name: ipset -Version: 6.29 -Release: 1%{?dist} +Version: 6.38 +Release: 2%{?dist} Summary: Manage Linux IP sets License: GPLv2 @@ -136,6 +136,20 @@ fi %postun service %systemd_postun_with_restart %{name}.service +%triggerin service -- ipset-service < 6.38-1%{?dist} +# Before 6.38-1, ipset.start-stop keeps a backup of previously saved sets, but +# doesn't touch the /etc/sysconfig/ipset.d/.saved flag. Remove the backup on +# upgrade, so that we use the current version of saved sets +rm -f /etc/sysconfig/ipset.save || : +exit 0 + +%triggerun service -- ipset-service < 6.38-1%{?dist} +# Up to 6.29-1, ipset.start-stop uses a single data file +for f in /etc/sysconfig/ipset.d/*; do + [ "${f}" = "/etc/sysconfig/ipset.d/*" ] && break + cat ${f} >> /etc/sysconfig/ipset || : +done +exit 0 %files %doc COPYING ChangeLog @@ -144,7 +158,7 @@ fi %files libs %doc COPYING -%{_libdir}/lib%{name}.so.3* +%{_libdir}/lib%{name}.so.11* %files devel %{_includedir}/lib%{name} @@ -162,6 +176,18 @@ fi %changelog +* Wed Jun 27 2018 Stefano Brivio - 6.38-2 +- Fix upgrade and downgrade triggers in specfile (RHBZ#1594722) + +* Mon Apr 16 2018 Stefano Brivio - 6.38-1 +- Rebase to 6.38 (RHBZ#1557600): + - hash:ipmac type support added to ipset, userspace part (Tomasz Chilinski) +- Refactor /etc/sysconfig/ipset.start-stop +- Fixes: + - IPSet Service Monolithic Operation (RHBZ#1440741) + - "systemctl start ipset" doesn't handle existing ipset's having counters + (RHBZ#1502212) + * Wed Feb 1 2017 Thomas Woerner - 6.29-1 - Rebase to 6.29 (RHBZ#1351299) - Fixes: