As far as I can tell just remove everything having to do with TMP_FIFO completely as it doesn't seem to serve any purpose except demonstrating bad temporary file naming (but not using it). "TMP_FIFO /tmp/ipset.XXXXXX" where XXXXXX is random, however there is no file named TMP_FIFO, and the variable TMP_FIFO was just set, incorrectly used once then not actually used anywhere. Here it is now using mktemp correctly and adding the filename to CLEAN_FILES, which will now contain: TMP_FIFO="$(mktemp /tmp/$ save > $TMP_FILE 2>/dev/null \ The script appeared to have a security flaw in it by using $$ in temporary filenames located in /tmp, always use mktemp instead. (In reply to Thomas Woerner from comment #26) The default configuration is for the systemd rvice to be disabled so it will not alter existing functionality unless explicitly enabled. #LOCAD IPSET AT STARTUP PATCH#It has one slightly unusual feature whereby the ip(6)tables entries IP(6)TABLES_SAVE_ON_STOP/RESTART, if set to "yes", override the IPSET_SAVE_ON_STOP/RESTART configuration, since ipset configuration must be updated if iptables configuration is updated.Įven if this patch isn't perfect, it would be really helpful if it could be implemented since it allows iptables to be used with ipsets and setup at boot time, and is better than what we have now. The patch provides a /etc/sysconfig/ipset-config file, similar to iptables. If sets are already installed, it destroys any sets not required by the config being loaded (and flushes them if they can't be destroyed), removes any entries which don't exist in the new config, and finally loads the saved config using ipset restore -!, to bring in any sets and entries in sets not already loaded. When loading, if no ipset sets are configured, it does a simple restore. The ipset.init script is based on the iptables.init script, but uses the functionality in the earlier attachments to this bug, mainly Christoph Anton Mitterer's, with some modifications, which I believe resolve all the issues that have been raised in earlier comments. The structure is closely based on the iptables systemd files, since ipset is inextricably linked to iptables. The attached patch provides all the files necessary to add an ipset systemd service which will start up before iptables (and stop afterwards). This is causing a security problem at system startup. Patch to create systemd ipset service to load, save and unload ipset sets.Ĭurrently loading of iptables at startup is failing when iptables uses ipsets, since they are not being loaded. and you don't provide X-Star/Stop-Before/After headers as Debian does. RedHats mixed use of LSB and chkconf headers is quite crazy. The init script MUST be loaded before the existing iptables init script. Work, when these are still in use by iptables rules. It then tries to flush/destroy completely gone sets. Tries to flush/destroy the now old _tmp_ sets (which should in principle _tmp_ prefix and then swaps the contents (which is atomic) and then it adds all sets who already exist with a andĪnd it doesn't handle at all that sets which are in use cannot beĪttached is an init script, which does some smarter restore. Is a considerable amount of time where no entries are in place. Even though it seems to to just what is wanted. Now making a real restore is tricky to impossible. Insight that his current restore operation is useless. I had a longer discussion with upstream but apparently he shows no but it doesn't removeĪny old sets (which is admittedly not possible when they're still in It just executes each line of the fed in file. "ipsets restore" is merely and additive merge in most cases. Restore command as iptables-restore does. The ipsets program is IMHO broken as it does not provide a real
0 Comments
Leave a Reply. |
AuthorWrite something about yourself. No need to be fancy, just an overview. ArchivesCategories |