diff mbox series

[2/4] rules.pl: Adjust code to use sets generated by libloc 0.9.11

Message ID 20220309141232.2401848-2-stefan.schantl@ipfire.org
State Accepted
Commit 870c223e0f1ef7542ea01f2bb936dddb70b6cd36
Headers
Series [1/4] libloc: Update to 0.9.11 |

Commit Message

Stefan Schantl March 9, 2022, 2:12 p.m. UTC 
  Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---
 config/firewall/rules.pl | 44 +++++++++++++++++++++++++++++++---------
 1 file changed, 34 insertions(+), 10 deletions(-)
diff mbox series

Patch

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index b8c602538..83216e78a 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -957,20 +957,44 @@  sub ipset_restore ($) {
 
 	# Check if the given set name is a country code.
 	if($set ~~ @locations) {
-		# Libloc adds "ipset4" as prefix to all exported IPv4 data.
-		my $file_prefix = "ipset4";
+		# Libloc adds the IP type (v4 or v6) as part of the set and file name.
+		my $loc_set = "$set" . "v4";
 
-		# Generate full path and filename for the ipset db file to restore.
-		$db_file = "$Location::Functions::ipset_db_directory/$set.$file_prefix";
+		# The bare filename equals the set name.
+		my $filename = $loc_set;
+
+		# Libloc uses "ipset" as file extension.
+		my $file_extension = "ipset";
+
+		# Generate full path and filename for the ipset db file.
+		my $db_file = "$Location::Functions::ipset_db_directory/$filename.$file_extension";
+
+		# Call function to restore/load the set.
+		&ipset_call_restore($db_file);
+
+		# Check if the set is already loaded (has been used before).
+		if ($set ~~ @ipset_used_sets) {
+			# The sets contains the IP type (v4 or v6) as part of the name.
+			# The firewall rules matches against sets without that extension. So we safely
+			# can swap or rename the sets to use the new ones.
+			run("$IPSET swap $loc_set $set");
+		} else {
+			# If the set is not loaded, we have to rename it to proper use it.
+			run("$IPSET rename $loc_set $set");
+		}
 	}
 
-	# Check if the generated file exists.
-	if (-f $db_file) {
-		# Run ipset and restore the given set.
-		run("$IPSET restore < $db_file");
+	# Store the restored set to the hash to prevent from loading it again.
+	$ipset_loaded_sets{$set} = "1";
+}
 
-		# Store the restored set to the hash to prevent from loading it again.
-		$ipset_loaded_sets{$set} = "1";
+sub ipset_call_restore ($) {
+	my ($file) = @_;
+
+	# Check if the requested file exists.
+	if (-f $file) {
+		# Run ipset and restore the given set.
+		run("$IPSET restore -f $file");
 	}
 }