diff options
| author | Gaurav Sinha <gaurav.sinha@vyatta.com> | 2012-11-19 10:23:21 -0800 |
|---|---|---|
| committer | Gaurav Sinha <gaurav.sinha@vyatta.com> | 2012-11-19 12:31:49 -0800 |
| commit | 5bfb8101f94bac5280e27169617cad54f16b279d (patch) | |
| tree | 02a502ad91fbb020d1054495480ee1ebc10da599 | |
| parent | 51a7cc7cb639adc2cdf8c3a4028a20f75d8d5eeb (diff) | |
| download | vyatta-cfg-firewall-5bfb8101f94bac5280e27169617cad54f16b279d.tar.gz vyatta-cfg-firewall-5bfb8101f94bac5280e27169617cad54f16b279d.zip | |
reset functions for named ipset rule implementation with commit lock
(cherry picked from commit 6b7808bf6c8dd9d1d9e993969358db2be135beff)
Conflicts:
scripts/firewall/vyatta-ipset.pl
(cherry picked from commit 977f7ad60c252ed3c23176d5e764cd9231784fc7)
| -rwxr-xr-x | lib/Vyatta/IpTables/IpSet.pm | 48 | ||||
| -rwxr-xr-x | scripts/firewall/vyatta-ipset.pl | 1 |
2 files changed, 42 insertions, 7 deletions
diff --git a/lib/Vyatta/IpTables/IpSet.pm b/lib/Vyatta/IpTables/IpSet.pm index aa06540..089a3b8 100755 --- a/lib/Vyatta/IpTables/IpSet.pm +++ b/lib/Vyatta/IpTables/IpSet.pm @@ -53,6 +53,7 @@ my $logger = 'logger -t IpSet.pm -p local0.warn --'; # due to the long time it takes to make that many calls # to add each individual member to the set. my $addr_range_mask = 24; +my $lockfile = "/opt/vyatta/config/.lock"; sub new { my ($that, $name, $type) = @_; @@ -82,7 +83,7 @@ sub debug { sub run_cmd { my ($self, $cmd) = @_; - my $rc = system("$cmd"); + my $rc = system("sudo $cmd"); if (defined $self->{_debug}) { my $func = (caller(1))[3]; system("$logger [$func] [$cmd] = [$rc]"); @@ -211,20 +212,53 @@ sub flush { return; } +sub rebuild_ipset() { + my ($self) = @_; + print "rebuilding ipset\n"; + my $name = $self->{_name}; + my $type = $self->{_type}; + my $config = new Vyatta::Config; + + my @members = $config->returnOrigValues("firewall group $type-group $name $type"); + print "firewall group $type-group $name @members\n"; + # go through the firewall group config with this name, + my $member; + foreach $member (@members) { + $self->add_member($member, $name); + } +} + +sub reset_ipset_named { + my ($self) = @_; + my $name = $self->{_name}; + print "reset ipset group $name\n"; + # flush the ipset group first, then re-build the group from configuration + $self->flush(); + + $self->rebuild_ipset(); +} + +sub reset_ipset_all { + print "reset all ipset rules\n"; +} + sub reset_ipset { # main function to do the reset operation - my ($self) = @_; my $name = $self->{_name}; - print " ipset type $self->{__type}\n"; + print "type reset_ipset: $self->{_type}\n"; + + my $lockcmd = "touch $lockfile"; + my $unlockcmd = "rm -f $lockfile"; + $self->run_cmd($lockcmd); + # reset one rule or all? if ($name eq 'all') { - print "reset all ipset rules\n"; - #reset_ipset_all(); + $self->reset_ipset_all(); } else { - print "reset ipset rule $name\n"; - #reset_ipset_named(); + $self->reset_ipset_named(); } + $self->run_cmd($unlockcmd); } sub delete { diff --git a/scripts/firewall/vyatta-ipset.pl b/scripts/firewall/vyatta-ipset.pl index 99ae085..986ad13 100755 --- a/scripts/firewall/vyatta-ipset.pl +++ b/scripts/firewall/vyatta-ipset.pl @@ -317,6 +317,7 @@ GetOptions("action=s" => \$action, die "undefined action" if ! defined $action; my $rc; +print "type is $set_type\n"; $rc = ipset_reset($set_name, $set_type) if $action eq 'reset-set'; $rc = ipset_create($set_name, $set_type) if $action eq 'create-set'; |