diff --git a/SOURCES/ipset-config b/SOURCES/ipset-config
new file mode 100644
index 0000000..decb760
--- /dev/null
+++ b/SOURCES/ipset-config
@@ -0,0 +1,5 @@
+# Save current ipsets on stop.
+# Value: yes|no, default: no
+# Saves all ipsets to /etc/ipset/ipset if service gets stopped
+# (e.g. on system shutdown).
+IPSET_SAVE_ON_STOP="no"
diff --git a/SOURCES/ipset.save-legacy b/SOURCES/ipset.save-legacy
new file mode 100644
index 0000000..39db1cf
--- /dev/null
+++ b/SOURCES/ipset.save-legacy
@@ -0,0 +1,2 @@
+#!/bin/bash
+exec /usr/libexec/ipset/ipset.start-stop save
diff --git a/SOURCES/ipset.service b/SOURCES/ipset.service
new file mode 100644
index 0000000..65c3121
--- /dev/null
+++ b/SOURCES/ipset.service
@@ -0,0 +1,19 @@
+[Unit]
+Description=IP sets for iptables
+Before=iptables.service
+Before=ip6tables.service
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/libexec/ipset/ipset.start-stop start
+ExecStop=/usr/libexec/ipset/ipset.start-stop stop
+ExecReload=/usr/libexec/ipset/ipset.start-stop reload
+# Save current ipset entries on stop.
+# Value: yes|no, default: no
+# Saves all ipsets to /etc/sysconfig/ipset if ipset gets stopped
+Environment=IPSET_SAVE_ON_STOP=no
+EnvironmentFile=-/etc/sysconfig/ipset-config
+
+[Install]
+WantedBy=basic.target
diff --git a/SOURCES/ipset.start-stop b/SOURCES/ipset.start-stop
new file mode 100644
index 0000000..92e9157
--- /dev/null
+++ b/SOURCES/ipset.start-stop
@@ -0,0 +1,204 @@
+#!/bin/bash
+#
+# ipset Start and stop ipset firewall sets
+#
+# config: /etc/ipset/ipset
+#
+
+IPSET=ipset
+IPSET_BIN=/usr/sbin/${IPSET}
+IPSET_DATA=/etc/sysconfig/${IPSET}
+IPSET_CONFIG=/etc/sysconfig/ipset-config
+
+TMP_FIFO=/tmp/${IPSET}.$$
+
+if [[ ! -x ${IPSET_BIN} ]]; then
+ echo "${IPSET_BIN} does not exist."
+ exit 5
+fi
+
+CLEAN_FILES=TMP_FIFO
+trap "rm -f \$CLEAN_FILES" EXIT
+
+# Load ipset configuration
+[[ -f "$IPSET_CONFIG" ]] && . "$IPSET_CONFIG"
+
+# Default ipset configuration:
+[[ -z $IPSET_SAVE_ON_STOP ]] && IPSET_SAVE_ON_STOP=no
+
+check_can_unload() {
+ # If the xt_set module is loaded and can't be unloaded, then iptables is
+ # using ipsets, so refuse to stop the service.
+ if [[ -n $(lsmod | grep "^xt_set ") ]]; then
+ rmmod xt_set 2>/dev/null
+ [[ $? -ne 0 ]] && echo Current iptables configuration requires ipsets && return 1
+ fi
+
+ return 0
+}
+
+flush_n_delete() {
+ local ret=0 set
+
+ # Flush sets
+ ${IPSET_BIN} flush
+ let ret+=$?
+
+ # Delete ipset sets. If we don't do them individually, then none
+ # will be deleted unless they all can be.
+ for set in $(${IPSET_BIN} list -name); do
+ ${IPSET_BIN} destroy 2>/dev/null
+ [[ $? -ne 0 ]] && ret=1
+ done
+
+ return $ret
+}
+
+start_clean()
+{
+ mkfifo -m go= "${TMP_FIFO}"
+ [[ $? -ne 0 ]] && return 1
+
+ # Get the lists of sets in current(old) config and new config
+ old_sets="$(${IPSET_BIN} list -name | sort -u)"
+ new_sets="$(grep ^create "${IPSET_DATA}" | cut -d " " -f 2 | sort -u)"
+
+ # List of sets no longer wanted
+ drop_sets="$( printf "%s\n" "${old_sets}" > "${TMP_FIFO}" &
+ printf "%s\n" "${new_sets}" | comm -23 "${TMP_FIFO}" -
+ )"
+
+ # Get rid of sets no longer needed
+ # Unfortunately -! doesn't work for destroy, so we have to do it a command at a time
+ for dset in $drop_sets; do
+ ipset destroy $dset 2>/dev/null
+ # If it won't go - ? in use by iptables, just clear it
+ [[ $? -ne 0 ]] && ipset flush $dset
+ done
+
+ # Now delete the set members no longer required
+ ${IPSET_BIN} save | grep "^add " | sort >${TMP_FIFO} &
+ grep "^add " ${IPSET_DATA} | sort | comm -23 ${TMP_FIFO} - | sed -e "s/^add /del /" \
+ | ${IPSET_BIN} restore -!
+
+ # At last we can add the set members we haven't got
+ ipset restore -! <${IPSET_DATA}
+
+ rm ${TMP_FIFO}
+
+ return 0
+}
+
+start() {
+ # Do not start if there is no config file.
+ [[ ! -f "$IPSET_DATA" ]] && echo "Loaded with no configuration" && return 0
+
+ # We can skip the first bit and do a simple load if
+ # there is no current ipset configuration
+ res=1
+ if [[ -n $(${IPSET_BIN} list -name) ]]; then
+ # The following may fail for some bizarre reason
+ start_clean
+ res=$?
+
+ [[ $res -ne 0 ]] && echo "Some old configuration may remain"
+ fi
+
+ # res -ne 0 => either start_clean failed, or we didn't need to run it
+ if [[ $res -ne 0 ]]; then
+ # This is the easy way to start but would leave any old
+ # entries still configured. Still, better than nothing -
+ # but fine if we had no config
+ ${IPSET_BIN} restore -! <${IPSET_DATA}
+ res=$?
+ fi
+
+ if [[ $res -ne 0 ]]; then
+ return 1
+ fi
+
+ return 0
+}
+
+stop() {
+ # Nothing to stop if ip_set module is not loaded.
+ lsmod | grep -q "^ip_set "
+ [[ $? -ne 0 ]] && return 6
+
+ flush_n_delete
+ [[ $? -ne 0 ]] && echo Warning: Not all sets were flushed/deleted
+
+ return 0
+}
+
+save() {
+ # Do not save if ip_set module is not loaded.
+ lsmod | grep -q "^ip_set "
+ [[ $? -ne 0 ]] && return 6
+
+ [[ -z $(${IPSET_BIN} list -name) ]] && return 0
+
+ ret=0
+ TMP_FILE=$(/bin/mktemp -q /tmp/$IPSET.XXXXXX) \
+ && CLEAN_FILES+=" $TMP_FILE" \
+ && chmod 600 "$TMP_FILE" \
+ && ${IPSET_BIN} save > $TMP_FILE 2>/dev/null \
+ && [[ -s $TMP_FILE ]] \
+ || ret=1
+
+ if [[ $ret -eq 0 ]]; then
+ # No need to do anything if the files are the same
+ if [[ ! -f $IPSET_DATA ]]; then
+ mv $TMP_FILE $IPSET_DATA && chmod 600 $IPSET_DATA || ret=1
+ else
+ diff -q $TMP_FILE $IPSET_DATA >/dev/null
+
+ if [[ $? -ne 0 ]]; then
+ if [[ -f $IPSET_DATA ]]; then
+ cp -f --preserve=timestamps $IPSET_DATA $IPSET_DATA.save \
+ && chmod 600 $IPSET_DATA.save \
+ || ret=1
+ fi
+ if [[ $ret -eq 0 ]]; then
+ cp -f --preserve=timestamps $TMP_FILE $IPSET_DATA \
+ && chmod 600 $IPSET_DATA \
+ || ret=1
+ fi
+ fi
+ fi
+ fi
+
+ rm -f $TMP_FILE
+ return $ret
+}
+
+
+case "$1" in
+ start)
+ start
+ RETVAL=$?
+ ;;
+ stop)
+ check_can_unload || exit 1
+ [[ $IPSET_SAVE_ON_STOP = yes ]] && save
+ stop
+ RETVAL=$?
+ [[ $RETVAL -eq 6 ]] && echo "${IPSET}: not running" && exit 0
+ ;;
+ reload)
+ stop
+ RETVAL=$?
+ [[ $RETVAL -eq 6 ]] && echo "${IPSET}: not running" && exit 0
+ start
+ RETVAL=$?
+ ;;
+ save)
+ save
+ RETVAL=$?
+ ;;
+ *)
+ echo "Usage: $IPSET {start|stop|reload}" >&2
+ exit 1
+esac
+
+exit $RETVAL
diff --git a/SPECS/ipset.spec b/SPECS/ipset.spec
index 99f8cf7..e5b5ab3 100644
--- a/SPECS/ipset.spec
+++ b/SPECS/ipset.spec
@@ -1,22 +1,29 @@
-Name: ipset
-Version: 6.19
-Release: 4%{?dist}
-Summary: Manage Linux IP sets
+# service legacy actions
+%define legacy_actions %{_libexecdir}/initscripts/legacy-actions
-License: GPLv2
-URL: http://ipset.netfilter.org/
-Source0: http://ipset.netfilter.org/%{name}-%{version}.tar.bz2
+Name: ipset
+Version: 6.19
+Release: 6%{?dist}
+Summary: Manage Linux IP sets
-BuildRequires: libmnl-devel
+License: GPLv2
+URL: http://ipset.netfilter.org/
+Source0: http://ipset.netfilter.org/%{name}-%{version}.tar.bz2
+Source1: %{name}.service
+Source2: %{name}.start-stop
+Source3: %{name}-config
+Source4: %{name}.save-legacy
-# This is developped hand in hand with a kernel module
-Requires: kernel
-Requires: ipset-libs = %{version}-%{release}
+BuildRequires: libmnl-devel
+
+# An explicit requirement is needed here, to avoid cases where a user would
+# explicitly update only one of the two (e.g 'yum update ipset')
+Requires: %{name}-libs%{?_isa} = %{version}-%{release}
%description
-IP sets are a framework inside the Linux 2.4.x and 2.6.x kernel, which can be
-administered by the ipset utility. Depending on the type, currently an IP set
-may store IP addresses, (TCP/UDP) port numbers or IP addresses with MAC
+IP sets are a framework inside the Linux kernel since version 2.4.x, which can
+be administered by the ipset utility. Depending on the type, currently an IP
+set may store IP addresses, (TCP/UDP) port numbers or IP addresses with MAC
addresses in a way, which ensures lightning speed when matching an entry
against a set.
@@ -29,12 +36,14 @@ If you want to:
rule and benefit from the speed of IP sets
then ipset may be the proper tool for you.
+
%package libs
Summary: Shared library providing the IP sets functionality
%description libs
This package contains the libraries which provide the IP sets funcionality.
+
%package devel
Summary: Development files for %{name}
Requires: %{name}-libs%{?_isa} == %{version}-%{release}
@@ -45,16 +54,32 @@ This package contains the files required to develop software using the %{name}
libraries.
+%package service
+Summary: %{name} service for %{name}s
+Requires: %{name} = %{version}-%{release}
+BuildRequires: systemd
+Requires: iptables-services
+Requires(post): systemd
+Requires(preun): systemd
+Requires(postun): systemd
+BuildArch: noarch
+
+%description service
+This package provides the service %{name} that is split
+out of the base package since it is not active by default.
+
+
%prep
%setup -q
-# Just to make absolutely sure we are not building the bundled kernel module
-rm -fr kernel
-
%build
%configure --enable-static=no --with-kmod=no
+# Just to make absolutely sure we are not building the bundled kernel module
+# I have to do it after the configure run unfortunately
+rm -fr kernel
+
# Prevent libtool from defining rpath
sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool
sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool
@@ -66,13 +91,52 @@ make %{?_smp_mflags}
make install DESTDIR=%{buildroot}
find %{buildroot} -name '*.la' -exec rm -f '{}' \;
+# install systemd unit file
+install -d -m 755 %{buildroot}/%{_unitdir}
+install -c -m 644 %{SOURCE1} %{buildroot}/%{_unitdir}
-%post libs -p /sbin/ldconfig
+# install supporting script
+install -d -m 755 %{buildroot}%{_libexecdir}/%{name}
+install -c -m 755 %{SOURCE2} %{buildroot}%{_libexecdir}/%{name}
+
+# install ipset-config
+install -d -m 755 %{buildroot}%{_sysconfdir}/sysconfig
+install -c -m 600 %{SOURCE3} %{buildroot}%{_sysconfdir}/sysconfig/%{name}-config
+# install legacy actions for service command
+install -d %{buildroot}/%{legacy_actions}/ipset
+install -c -m 755 %{SOURCE4} %{buildroot}/%{legacy_actions}/ipset/save
+
+# Create directory for configuration
+mkdir -p %{buildroot}%{_sysconfdir}/%{name}
+
+
+%preun
+if [[ $1 -eq 0 && -n $(lsmod | grep "^xt_set ") ]]; then
+ rmmod xt_set 2>/dev/null
+ [[ $? -ne 0 ]] && echo Current iptables configuration requires ipsets && exit 1
+fi
+
+
+%post libs -p /sbin/ldconfig
%postun libs -p /sbin/ldconfig
+%post service
+%systemd_post %{name}.service
+
+%preun service
+if [[ $1 -eq 0 && -n $(lsmod | grep "^xt_set ") ]]; then
+ rmmod xt_set 2>/dev/null
+ [[ $? -ne 0 ]] && echo Current iptables configuration requires ipsets && exit 1
+fi
+%systemd_preun %{name}.service
+
+%postun service
+%systemd_postun_with_restart %{name}.service
+
+
%files
%doc COPYING ChangeLog
%doc %{_mandir}/man8/%{name}.8.gz
@@ -85,9 +149,31 @@ find %{buildroot} -name '*.la' -exec rm -f '{}' \;
%files devel
%{_includedir}/lib%{name}
%{_libdir}/lib%{name}.so
+# not installed with 6.19
+#%{_libdir}/pkgconfig/lib%{name}.pc
+
+%files service
+%{_unitdir}/%{name}.service
+%dir %{_libexecdir}/%{name}
+%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/sysconfig/ipset-config
+%ghost %config(noreplace) %attr(0600,root,root) %{_sysconfdir}/sysconfig/ipset
+%attr(0755,root,root) %{_libexecdir}/%{name}/%{name}.start-stop
+%dir %{legacy_actions}/ipset
+%{legacy_actions}/ipset/save
%changelog
+* Wed Aug 17 2016 Thomas Woerner <twoerner@redhat.com> - 6.19-6
+- Use /etc/sysconfig/ipset-config in service as EnvironmentFile (RHBZ#1136257)
+- Use /etc/sysconfig/ipset for data as in RHEL-6 (RHBZ#1136257)
+- No save on reload, but legacy save action (RHBZ#1136257)
+
+* Wed Jun 29 2016 Thomas Woerner <twoerner@redhat.com> - 6.19-5
+- New service sub package to provide the ipset service (RHBZ#1136257)
+ Service and start-stop script from F-24
+- Fixed ipset package summary (RHBZ#1195171)
+ Spec file derived from F-24
+
* Fri Jan 24 2014 Daniel Mach <dmach@redhat.com> - 6.19-4
- Mass rebuild 2014-01-24