rework ipset removal logic to only purge sets that are not in use by any family

diff --git a/ipsets.c b/ipsets.c
index ab86133c31be3756a9e751a4e4e2e514dc5119e2..5e0d61f9c3f956c23c542b533fdda8884e31b70f 100644 (file)
--- a/ipsets.c
+++ b/ipsets.c
@@ -266,7 +266,7 @@ create_ipset(struct fw3_ipset *ipset)
        if (ipset->external && *ipset->external)
                return;
 
-       info(" * %s", ipset->name);
+       info("Creating ipset %s", ipset->name);
 
        first = true;
        fw3_pr("create %s %s", ipset->name, methods[ipset->method]);
@@ -328,37 +328,69 @@ create_ipset(struct fw3_ipset *ipset)
        fw3_pr("\n");
 }
 
+static bool
+ipset_loaded(struct list_head *statefile, const char *name)
+{
+       struct fw3_statefile_entry *e;
+       int mask = (1 << FW3_FAMILY_V4) | (1 << FW3_FAMILY_V6);
+
+       if (!statefile)
+               return false;
+
+       list_for_each_entry(e, statefile, list)
+       {
+               if (e->type != FW3_TYPE_IPSET)
+                       continue;
+
+               if (!strcmp(e->name, name) && (e->flags[0] & mask))
+                       return true;
+       }
+
+       return false;
+}
+
 void
-fw3_create_ipsets(struct fw3_state *state)
+fw3_create_ipsets(struct fw3_state *state, struct list_head *statefile)
 {
        struct fw3_ipset *ipset;
 
        if (state->disable_ipsets)
                return;
 
-       info("Initializing ipsets ...");
-
        list_for_each_entry(ipset, &state->ipsets, list)
-               create_ipset(ipset);
+               if (!ipset_loaded(statefile, ipset->name))
+                       create_ipset(ipset);
 
        fw3_pr("quit\n");
 }
 
 void
-fw3_destroy_ipsets(struct list_head *statefile)
+fw3_destroy_ipsets(struct fw3_state *state, struct list_head *statefile)
 {
+       struct fw3_ipset *s;
        struct fw3_statefile_entry *e;
+       int mask = (1 << FW3_FAMILY_V4) | (1 << FW3_FAMILY_V6);
+
+       if (!statefile)
+               return;
 
-       if (statefile)
+       list_for_each_entry(e, statefile, list)
        {
-               info("Destroying ipsets ...");
+               if (e->type != FW3_TYPE_IPSET)
+                       continue;
 
-               list_for_each_entry(e, statefile, list)
-               {
-                       if (e->type != FW3_TYPE_IPSET)
-                               continue;
+               if (!hasbit(state->defaults.flags, FW3_FAMILY_V4))
+                       delbit(e->flags[0], FW3_FAMILY_V4);
+
+               if (!hasbit(state->defaults.flags, FW3_FAMILY_V6))
+                       delbit(e->flags[0], FW3_FAMILY_V6);
 
-                       info(" * %s", e->name);
+               if ((s = fw3_lookup_ipset(state, e->name)) != NULL)
+                       s->flags = e->flags[0];
+
+               if (!(e->flags[0] & mask))
+               {
+                       info("Deleting ipset %s", e->name);
 
                        fw3_pr("flush %s\n", e->name);
                        fw3_pr("destroy %s\n", e->name);

diff --git a/ipsets.h b/ipsets.h
index 49c6e669eda1a2650839c0201b45d784dc6ef0a3..a169979860850dad47f223b3e06c7cbd2c31e02a 100644 (file)
--- a/ipsets.h
+++ b/ipsets.h
@@ -39,9 +39,8 @@ struct fw3_ipset_settype {
 };
 
 void fw3_load_ipsets(struct fw3_state *state, struct uci_package *p);
-void fw3_create_ipsets(struct fw3_state *state);
-
-void fw3_destroy_ipsets(struct list_head *statefile);
+void fw3_create_ipsets(struct fw3_state *state, struct list_head *statefile);
+void fw3_destroy_ipsets(struct fw3_state *state, struct list_head *statefile);
 
 void fw3_free_ipset(struct fw3_ipset *ipset);
 

diff --git a/main.c b/main.c
index 3ef7243c33955f92ff54eb25c5a2e32d0d3f6182..23c149784c0d26fa97a27c91d10f56f91407bfab 100644 (file)
--- a/main.c
+++ b/main.c
@@ -220,12 +220,9 @@ stop(struct fw3_state *state, bool complete, bool restart)
                rv = 0;
        }
 
-       if (!restart &&
-           !family_loaded(state, FW3_FAMILY_V4) &&
-           !family_loaded(state, FW3_FAMILY_V6) &&
-           fw3_command_pipe(false, "ipset", "-exist", "-"))
+       if (!restart && fw3_command_pipe(false, "ipset", "-exist", "-"))
        {
-               fw3_destroy_ipsets(statefile);
+               fw3_destroy_ipsets(state, statefile);
                fw3_command_close();
        }
 
@@ -249,7 +246,7 @@ start(struct fw3_state *state, bool restart)
        if (!print_rules && !restart &&
            fw3_command_pipe(false, "ipset", "-exist", "-"))
        {
-               fw3_create_ipsets(state);
+               fw3_create_ipsets(state, statefile);
                fw3_command_close();
        }
 

diff --git a/utils.c b/utils.c
index 9b62789a3dcc7f902c329fed6c46cadf1fc6d138..1ba25fdcc0e2c76784e61a17b6146d55c916557c 100644 (file)
--- a/utils.c
+++ b/utils.c
@@ -435,6 +435,9 @@ fw3_write_statefile(void *state)
                if (i->external && *i->external)
                        continue;
 
+               if (!i->flags)
+                       continue;
+
                fprintf(sf, "%u %s %u\n", FW3_TYPE_IPSET, i->name, i->flags);
        }