-
Notifications
You must be signed in to change notification settings - Fork 19
/
Copy path10-ipset
74 lines (66 loc) · 1.53 KB
/
10-ipset
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
#!/bin/sh
# This file is part of netfilter-persistent
# (was iptables-persistent)
# Copyright (C) 2009, Simon Richter <[email protected]>
# Copyright (C) 2010, 2014 Jonathan Wiltshire <[email protected]>
#
# This program is free software; you can redistribute it and/or
# modify it under the terms of the GNU General Public License
# as published by the Free Software Foundation, either version 3
# of the License, or (at your option) any later version.
set -e
rc=0
load_rules()
{
#load IPSet rules
if [ ! -f /etc/iptables/rules.ipset ]; then
echo "Warning: skipping IPSet (no rules to load)"
else
ipset restore -! < /etc/iptables/rules.ipset 2> /dev/null
if [ $? -ne 0 ]; then
rc=1
fi
fi
}
save_rules()
{
#save IPSet rules
#need at least ip_set loaded:
/sbin/modprobe -q ip_set
if [ -x /sbin/ipset ]; then
touch /etc/iptables/rules.ipset
chmod 0640 /etc/iptables/rules.ipset
ipset save | grep -iv "f2b" > /etc/iptables/rules.ipset
if [ $? -ne 0 ]; then
rc=1
fi
fi
}
flush_rules()
{
if [ -x /sbin/ipset ]; then
ipset flush
fi
}
case "$1" in
start|restart|reload|force-reload)
load_rules
;;
save)
save_rules
;;
stop)
# Why? because if stop is used, the firewall gets flushed for a variable
# amount of time during package upgrades, leaving the machine vulnerable
# It's also not always desirable to flush during purge
echo "Automatic flushing disabled, use \"flush\" instead of \"stop\""
;;
flush)
flush_rules
;;
*)
echo "Usage: $0 {start|restart|reload|force-reload|save|flush}" >&2
exit 1
;;
esac
exit $rc