On 08/18/2012 07:25 PM, Aaron St. Pierre wrote:
Tom,
I confirm this patch is working as expected on my systems!
Aaron,
Here is a compiler workaround for this problem; the compiler can also
leave an empty ipset behind.
-Tom
--
Tom Eastep \ When I die, I want to go like my Grandfather who
Shoreline, \ died peacefully in his sleep. Not screaming like
Washington, USA \ all of the passengers in his car
http://shorewall.net \________________________________________________
diff --git a/Shorewall/Perl/Shorewall/Config.pm b/Shorewall/Perl/Shorewall/Config.pm
index 5a2d462..79e0621 100644
--- a/Shorewall/Perl/Shorewall/Config.pm
+++ b/Shorewall/Perl/Shorewall/Config.pm
@@ -3194,7 +3194,7 @@ sub Old_IPSet_Match() {
if ( qt( "$ipset -N $sillyname iphash" ) ) {
if ( qt1( "$iptables -A $sillyname -m set --set $sillyname src -j ACCEPT" ) ) {
- qt1( "$iptables -D $sillyname -m set --set $sillyname src -j ACCEPT" );
+ qt1( "$iptables -F $sillyname" );
$result = $capabilities{IPSET_MATCH} = 1;
}
@@ -3217,7 +3217,7 @@ sub IPSet_Match() {
if ( qt( "$ipset -N $sillyname iphash" ) || qt( "$ipset -N $sillyname hash:ip family $fam") ) {
if ( qt1( "$iptables -A $sillyname -m set --match-set $sillyname src -j ACCEPT" ) ) {
- qt1( "$iptables -D $sillyname -m set --match-set $sillyname src -j ACCEPT" );
+ qt1( "$iptables -F $sillyname" );
$result = ! ( $capabilities{OLD_IPSET_MATCH} = 0 );
} else {
$result = have_capability 'OLD_IPSET_MATCH';
------------------------------------------------------------------------------
Live Security Virtual Conference
Exclusive live event will cover all the ways today's security and
threat landscape has changed and how IT managers can respond. Discussions
will include endpoint security, mobile security and the latest in malware
threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
