diff --git a/SOURCES/ipset-config b/SOURCES/ipset-config new file mode 100644 index 0000000..decb760 --- /dev/null +++ b/SOURCES/ipset-config @@ -0,0 +1,5 @@ +# Save current ipsets on stop. +# Value: yes|no, default: no +# Saves all ipsets to /etc/ipset/ipset if service gets stopped +# (e.g. on system shutdown). +IPSET_SAVE_ON_STOP="no" diff --git a/SOURCES/ipset.save-legacy b/SOURCES/ipset.save-legacy new file mode 100644 index 0000000..39db1cf --- /dev/null +++ b/SOURCES/ipset.save-legacy @@ -0,0 +1,2 @@ +#!/bin/bash +exec /usr/libexec/ipset/ipset.start-stop save diff --git a/SOURCES/ipset.service b/SOURCES/ipset.service new file mode 100644 index 0000000..65c3121 --- /dev/null +++ b/SOURCES/ipset.service @@ -0,0 +1,19 @@ +[Unit] +Description=IP sets for iptables +Before=iptables.service +Before=ip6tables.service + +[Service] +Type=oneshot +RemainAfterExit=yes +ExecStart=/usr/libexec/ipset/ipset.start-stop start +ExecStop=/usr/libexec/ipset/ipset.start-stop stop +ExecReload=/usr/libexec/ipset/ipset.start-stop reload +# Save current ipset entries on stop. +# Value: yes|no, default: no +# Saves all ipsets to /etc/sysconfig/ipset if ipset gets stopped +Environment=IPSET_SAVE_ON_STOP=no +EnvironmentFile=-/etc/sysconfig/ipset-config + +[Install] +WantedBy=basic.target diff --git a/SOURCES/ipset.start-stop b/SOURCES/ipset.start-stop new file mode 100644 index 0000000..92e9157 --- /dev/null +++ b/SOURCES/ipset.start-stop @@ -0,0 +1,204 @@ +#!/bin/bash +# +# ipset Start and stop ipset firewall sets +# +# config: /etc/ipset/ipset +# + +IPSET=ipset +IPSET_BIN=/usr/sbin/${IPSET} +IPSET_DATA=/etc/sysconfig/${IPSET} +IPSET_CONFIG=/etc/sysconfig/ipset-config + +TMP_FIFO=/tmp/${IPSET}.$$ + +if [[ ! -x ${IPSET_BIN} ]]; then + echo "${IPSET_BIN} does not exist." + exit 5 +fi + +CLEAN_FILES=TMP_FIFO +trap "rm -f \$CLEAN_FILES" EXIT + +# Load ipset configuration +[[ -f "$IPSET_CONFIG" ]] && . "$IPSET_CONFIG" + +# Default ipset configuration: +[[ -z $IPSET_SAVE_ON_STOP ]] && IPSET_SAVE_ON_STOP=no + +check_can_unload() { + # If the xt_set module is loaded and can't be unloaded, then iptables is + # using ipsets, so refuse to stop the service. + if [[ -n $(lsmod | grep "^xt_set ") ]]; then + rmmod xt_set 2>/dev/null + [[ $? -ne 0 ]] && echo Current iptables configuration requires ipsets && return 1 + fi + + return 0 +} + +flush_n_delete() { + local ret=0 set + + # Flush sets + ${IPSET_BIN} flush + let ret+=$? + + # Delete ipset sets. If we don't do them individually, then none + # will be deleted unless they all can be. + for set in $(${IPSET_BIN} list -name); do + ${IPSET_BIN} destroy 2>/dev/null + [[ $? -ne 0 ]] && ret=1 + done + + return $ret +} + +start_clean() +{ + mkfifo -m go= "${TMP_FIFO}" + [[ $? -ne 0 ]] && return 1 + + # Get the lists of sets in current(old) config and new config + old_sets="$(${IPSET_BIN} list -name | sort -u)" + new_sets="$(grep ^create "${IPSET_DATA}" | cut -d " " -f 2 | sort -u)" + + # List of sets no longer wanted + drop_sets="$( printf "%s\n" "${old_sets}" > "${TMP_FIFO}" & + printf "%s\n" "${new_sets}" | comm -23 "${TMP_FIFO}" - + )" + + # Get rid of sets no longer needed + # Unfortunately -! doesn't work for destroy, so we have to do it a command at a time + for dset in $drop_sets; do + ipset destroy $dset 2>/dev/null + # If it won't go - ? in use by iptables, just clear it + [[ $? -ne 0 ]] && ipset flush $dset + done + + # Now delete the set members no longer required + ${IPSET_BIN} save | grep "^add " | sort >${TMP_FIFO} & + grep "^add " ${IPSET_DATA} | sort | comm -23 ${TMP_FIFO} - | sed -e "s/^add /del /" \ + | ${IPSET_BIN} restore -! + + # At last we can add the set members we haven't got + ipset restore -! <${IPSET_DATA} + + rm ${TMP_FIFO} + + return 0 +} + +start() { + # Do not start if there is no config file. + [[ ! -f "$IPSET_DATA" ]] && echo "Loaded with no configuration" && return 0 + + # We can skip the first bit and do a simple load if + # there is no current ipset configuration + res=1 + if [[ -n $(${IPSET_BIN} list -name) ]]; then + # The following may fail for some bizarre reason + start_clean + res=$? + + [[ $res -ne 0 ]] && echo "Some old configuration may remain" + fi + + # res -ne 0 => either start_clean failed, or we didn't need to run it + if [[ $res -ne 0 ]]; then + # This is the easy way to start but would leave any old + # entries still configured. Still, better than nothing - + # but fine if we had no config + ${IPSET_BIN} restore -! <${IPSET_DATA} + res=$? + fi + + if [[ $res -ne 0 ]]; then + return 1 + fi + + return 0 +} + +stop() { + # Nothing to stop if ip_set module is not loaded. + lsmod | grep -q "^ip_set " + [[ $? -ne 0 ]] && return 6 + + flush_n_delete + [[ $? -ne 0 ]] && echo Warning: Not all sets were flushed/deleted + + return 0 +} + +save() { + # Do not save if ip_set module is not loaded. + lsmod | grep -q "^ip_set " + [[ $? -ne 0 ]] && return 6 + + [[ -z $(${IPSET_BIN} list -name) ]] && return 0 + + ret=0 + TMP_FILE=$(/bin/mktemp -q /tmp/$IPSET.XXXXXX) \ + && CLEAN_FILES+=" $TMP_FILE" \ + && chmod 600 "$TMP_FILE" \ + && ${IPSET_BIN} save > $TMP_FILE 2>/dev/null \ + && [[ -s $TMP_FILE ]] \ + || ret=1 + + if [[ $ret -eq 0 ]]; then + # No need to do anything if the files are the same + if [[ ! -f $IPSET_DATA ]]; then + mv $TMP_FILE $IPSET_DATA && chmod 600 $IPSET_DATA || ret=1 + else + diff -q $TMP_FILE $IPSET_DATA >/dev/null + + if [[ $? -ne 0 ]]; then + if [[ -f $IPSET_DATA ]]; then + cp -f --preserve=timestamps $IPSET_DATA $IPSET_DATA.save \ + && chmod 600 $IPSET_DATA.save \ + || ret=1 + fi + if [[ $ret -eq 0 ]]; then + cp -f --preserve=timestamps $TMP_FILE $IPSET_DATA \ + && chmod 600 $IPSET_DATA \ + || ret=1 + fi + fi + fi + fi + + rm -f $TMP_FILE + return $ret +} + + +case "$1" in + start) + start + RETVAL=$? + ;; + stop) + check_can_unload || exit 1 + [[ $IPSET_SAVE_ON_STOP = yes ]] && save + stop + RETVAL=$? + [[ $RETVAL -eq 6 ]] && echo "${IPSET}: not running" && exit 0 + ;; + reload) + stop + RETVAL=$? + [[ $RETVAL -eq 6 ]] && echo "${IPSET}: not running" && exit 0 + start + RETVAL=$? + ;; + save) + save + RETVAL=$? + ;; + *) + echo "Usage: $IPSET {start|stop|reload}" >&2 + exit 1 +esac + +exit $RETVAL diff --git a/SPECS/ipset.spec b/SPECS/ipset.spec index 99f8cf7..e5b5ab3 100644 --- a/SPECS/ipset.spec +++ b/SPECS/ipset.spec @@ -1,22 +1,29 @@ -Name: ipset -Version: 6.19 -Release: 4%{?dist} -Summary: Manage Linux IP sets +# service legacy actions +%define legacy_actions %{_libexecdir}/initscripts/legacy-actions -License: GPLv2 -URL: http://ipset.netfilter.org/ -Source0: http://ipset.netfilter.org/%{name}-%{version}.tar.bz2 +Name: ipset +Version: 6.19 +Release: 6%{?dist} +Summary: Manage Linux IP sets -BuildRequires: libmnl-devel +License: GPLv2 +URL: http://ipset.netfilter.org/ +Source0: http://ipset.netfilter.org/%{name}-%{version}.tar.bz2 +Source1: %{name}.service +Source2: %{name}.start-stop +Source3: %{name}-config +Source4: %{name}.save-legacy -# This is developped hand in hand with a kernel module -Requires: kernel -Requires: ipset-libs = %{version}-%{release} +BuildRequires: libmnl-devel + +# An explicit requirement is needed here, to avoid cases where a user would +# explicitly update only one of the two (e.g 'yum update ipset') +Requires: %{name}-libs%{?_isa} = %{version}-%{release} %description -IP sets are a framework inside the Linux 2.4.x and 2.6.x kernel, which can be -administered by the ipset utility. Depending on the type, currently an IP set -may store IP addresses, (TCP/UDP) port numbers or IP addresses with MAC +IP sets are a framework inside the Linux kernel since version 2.4.x, which can +be administered by the ipset utility. Depending on the type, currently an IP +set may store IP addresses, (TCP/UDP) port numbers or IP addresses with MAC addresses in a way, which ensures lightning speed when matching an entry against a set. @@ -29,12 +36,14 @@ If you want to: rule and benefit from the speed of IP sets then ipset may be the proper tool for you. + %package libs Summary: Shared library providing the IP sets functionality %description libs This package contains the libraries which provide the IP sets funcionality. + %package devel Summary: Development files for %{name} Requires: %{name}-libs%{?_isa} == %{version}-%{release} @@ -45,16 +54,32 @@ This package contains the files required to develop software using the %{name} libraries. +%package service +Summary: %{name} service for %{name}s +Requires: %{name} = %{version}-%{release} +BuildRequires: systemd +Requires: iptables-services +Requires(post): systemd +Requires(preun): systemd +Requires(postun): systemd +BuildArch: noarch + +%description service +This package provides the service %{name} that is split +out of the base package since it is not active by default. + + %prep %setup -q -# Just to make absolutely sure we are not building the bundled kernel module -rm -fr kernel - %build %configure --enable-static=no --with-kmod=no +# Just to make absolutely sure we are not building the bundled kernel module +# I have to do it after the configure run unfortunately +rm -fr kernel + # Prevent libtool from defining rpath sed -i 's|^hardcode_libdir_flag_spec=.*|hardcode_libdir_flag_spec=""|g' libtool sed -i 's|^runpath_var=LD_RUN_PATH|runpath_var=DIE_RPATH_DIE|g' libtool @@ -66,13 +91,52 @@ make %{?_smp_mflags} make install DESTDIR=%{buildroot} find %{buildroot} -name '*.la' -exec rm -f '{}' \; +# install systemd unit file +install -d -m 755 %{buildroot}/%{_unitdir} +install -c -m 644 %{SOURCE1} %{buildroot}/%{_unitdir} -%post libs -p /sbin/ldconfig +# install supporting script +install -d -m 755 %{buildroot}%{_libexecdir}/%{name} +install -c -m 755 %{SOURCE2} %{buildroot}%{_libexecdir}/%{name} + +# install ipset-config +install -d -m 755 %{buildroot}%{_sysconfdir}/sysconfig +install -c -m 600 %{SOURCE3} %{buildroot}%{_sysconfdir}/sysconfig/%{name}-config +# install legacy actions for service command +install -d %{buildroot}/%{legacy_actions}/ipset +install -c -m 755 %{SOURCE4} %{buildroot}/%{legacy_actions}/ipset/save + +# Create directory for configuration +mkdir -p %{buildroot}%{_sysconfdir}/%{name} + + +%preun +if [[ $1 -eq 0 && -n $(lsmod | grep "^xt_set ") ]]; then + rmmod xt_set 2>/dev/null + [[ $? -ne 0 ]] && echo Current iptables configuration requires ipsets && exit 1 +fi + + +%post libs -p /sbin/ldconfig %postun libs -p /sbin/ldconfig +%post service +%systemd_post %{name}.service + +%preun service +if [[ $1 -eq 0 && -n $(lsmod | grep "^xt_set ") ]]; then + rmmod xt_set 2>/dev/null + [[ $? -ne 0 ]] && echo Current iptables configuration requires ipsets && exit 1 +fi +%systemd_preun %{name}.service + +%postun service +%systemd_postun_with_restart %{name}.service + + %files %doc COPYING ChangeLog %doc %{_mandir}/man8/%{name}.8.gz @@ -85,9 +149,31 @@ find %{buildroot} -name '*.la' -exec rm -f '{}' \; %files devel %{_includedir}/lib%{name} %{_libdir}/lib%{name}.so +# not installed with 6.19 +#%{_libdir}/pkgconfig/lib%{name}.pc + +%files service +%{_unitdir}/%{name}.service +%dir %{_libexecdir}/%{name} +%config(noreplace) %attr(0600,root,root) %{_sysconfdir}/sysconfig/ipset-config +%ghost %config(noreplace) %attr(0600,root,root) %{_sysconfdir}/sysconfig/ipset +%attr(0755,root,root) %{_libexecdir}/%{name}/%{name}.start-stop +%dir %{legacy_actions}/ipset +%{legacy_actions}/ipset/save %changelog +* Wed Aug 17 2016 Thomas Woerner - 6.19-6 +- Use /etc/sysconfig/ipset-config in service as EnvironmentFile (RHBZ#1136257) +- Use /etc/sysconfig/ipset for data as in RHEL-6 (RHBZ#1136257) +- No save on reload, but legacy save action (RHBZ#1136257) + +* Wed Jun 29 2016 Thomas Woerner - 6.19-5 +- New service sub package to provide the ipset service (RHBZ#1136257) + Service and start-stop script from F-24 +- Fixed ipset package summary (RHBZ#1195171) + Spec file derived from F-24 + * Fri Jan 24 2014 Daniel Mach - 6.19-4 - Mass rebuild 2014-01-24