Merge branch 'pacifica' of git.vyatta.com:/git/vyatta-cfg-firewall into pacifica

2 files changed, 30 insertions, 0 deletions

diff --git a/debian/changelog b/debian/changelog
index 4ce3a26..00125d2 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,9 @@
+vyatta-cfg-firewall (0.13.90+pacifica5) unstable; urgency=low
+
+  * Bugfix 7613: cleanup firewall groups correctly
+
+ -- John Southworth <john.southworth@vyatta.com>  Mon, 19 Nov 2012 13:14:59 -0800
+
 vyatta-cfg-firewall (0.13.90+pacifica4) unstable; urgency=low
 
   [ root ]
diff --git a/scripts/firewall/vyatta-ipset.pl b/scripts/firewall/vyatta-ipset.pl
index ddac0b9..0627381 100755
--- a/scripts/firewall/vyatta-ipset.pl
+++ b/scripts/firewall/vyatta-ipset.pl
@@ -37,6 +37,16 @@ use IO::Prompt;
 use warnings;
 use strict;
 
+sub get_sys_sets {
+    my @sets = ();
+    my @lines = `ipset -L`;
+    foreach my $line (@lines) {
+        if ($line =~ /^Name:\s+(\w+)$/) {
+            push @sets, $1;
+        }
+    }
+    return @sets;
+}
 
 sub warn_before_reset {
   if (prompt("This can be temporarily disruptive: Proceed with reset? (Yes/No) [No] ", -ynd=>"n")) {
@@ -310,6 +320,20 @@ sub prune_deleted_sets {
       return $rc if (($rc = ipset_delete($g)));
     }
   }
+
+  # fixup system sets
+  my @sys_sets = get_sys_sets();
+  foreach my $set (@sys_sets) {
+    my $group = new Vyatta::IpTables::IpSet($set);
+    # only try groups with no references
+    if ($group->exists() && ($group->references() == 0)) {
+      my $type = $group->get_type();
+      $cfg->setLevel("firewall group $type-group");
+      next if ($cfg->isEffective($set)); # don't prune if still in config
+      my $rc;
+      return $rc if (($rc = ipset_delete($set)));
+    }
+  }
   exit 0;
 }