Commit 0ae7ea31 authored by Kaarle Ritvanen's avatar Kaarle Ritvanen

generate separate file for each ipset

do not overwrite existing ipset files
parent fef090cc
...@@ -89,9 +89,7 @@ opts, opind = alt_getopt.get_opts(arg, short_opts, long_opts) ...@@ -89,9 +89,7 @@ opts, opind = alt_getopt.get_opts(arg, short_opts, long_opts)
for switch, value in pairs(opts) do for switch, value in pairs(opts) do
if switch == 'f' then force = true if switch == 'f' then force = true
elseif switch == 'V' then verify = true elseif switch == 'V' then verify = true
elseif switch == 'o' then elseif switch == 'o' then outputdir = value
iptdir = value
ipsfile = value..'/ipset'
else table.insert(params[switch], value) end else table.insert(params[switch], value) end
end end
...@@ -192,7 +190,7 @@ if mode == 'dump' then ...@@ -192,7 +190,7 @@ if mode == 'dump' then
elseif mode == 'translate' then elseif mode == 'translate' then
if verify then config:test() end if verify then config:test() end
config:dump(iptdir, ipsfile) config:dump(outputdir)
elseif mode == 'activate' then elseif mode == 'activate' then
......
...@@ -138,9 +138,9 @@ function Config:print() ...@@ -138,9 +138,9 @@ function Config:print()
self.iptables:print() self.iptables:print()
end end
function Config:dump(iptdir, ipsfile) function Config:dump(dir)
self.ipset:dump(ipsfile or '/etc/ipset.d/awall') self.ipset:dump(dir or '/etc/ipset.d')
self.iptables:dump(iptdir or '/etc/iptables') self.iptables:dump(dir or '/etc/iptables')
end end
function Config:test() function Config:test()
......
...@@ -8,42 +8,50 @@ Licensed under the terms of GPL2 ...@@ -8,42 +8,50 @@ Licensed under the terms of GPL2
module(..., package.seeall) module(..., package.seeall)
require 'awall.object' require 'awall.object'
require 'awall.util'
IPSet = awall.object.class(awall.object.Object) IPSet = awall.object.class(awall.object.Object)
function IPSet:init(config) self.config = config end function IPSet:init(config) self.config = config or {} end
function IPSet:commands() function IPSet:options(name)
local res = {'# ipset file generated by awall\n'} local ipset = self.config[name]
if self.config then if not ipset.type then ipset:error('Type not defined') end
for name, ipset in pairs(self.config) do if not ipset.family then ipset:error('Family not defined') end
if not ipset.type then ipset:error('Type not defined') end return {ipset.type, 'family', ipset.family}
if not ipset.family then ipset:error('Family not defined') end end
table.insert(res,
'create '..name..' '..ipset.type..' family '..ipset.family..'\n') function IPSet:dumpfile(name, ipsfile)
end ipsfile:write('# ipset '..name..'\n')
end ipsfile:write(awall.util.join(self:options(name), ' '))
return res ipsfile:write('\n')
end end
function IPSet:create() function IPSet:create()
for i, line in ipairs(self:commands()) do for name, ipset in pairs(self.config) do
local pid, stdin = lpc.run('ipset', '-!', 'restore') local pid = lpc.run('ipset', '-!', 'create', name,
stdin:write(line) unpack(self:options(name)))
stdin:close()
if lpc.wait(pid) ~= 0 then if lpc.wait(pid) ~= 0 then
io.stderr:write('ipset command failed: '..line) io.stderr:write('ipset creation failed: '..name)
end end
end end
end end
function IPSet:print(file) function IPSet:print()
if not file then file = io.stdout end for name, ipset in pairs(self.config) do
for i, line in ipairs(self:commands()) do file:write(line) end self:dumpfile(name, io.stdout)
io.stdout:write('\n')
end
end end
function IPSet:dump(ipsfile) function IPSet:dump(ipsdir)
local file = io.output(ipsfile) for name, ipset in pairs(self.config) do
self:print(file) local fname = ipsdir..'/'..name
file:close() local file = io.open(fname)
if not file then
file = io.open(fname, 'w')
self:dumpfile(name, file)
end
file:close()
end
end end
Markdown is supported
0% or
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment