On 08/10/2014 02:18 PM, Rob Townley wrote:
> Anybody on here successfully get ipset iptables sets to work _after_ a
> reboot?
Here's an init script that I wrote for CentOS 6. (systemd haters can
take note of how much easier it would have been to write a unit file.)
--
========================================================================
Ian Pilcher arequip...@gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
#!/bin/bash
#
# ipset-state Restore ipset state
#
# chkconfig: 2345 07 93
# description: Restores (and saves) ipset state
#
# config: /etc/sysconfig/ipset-state
#
### BEGIN INIT INFO
# Provides: ipset-state
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: restore (and save) ipset state
# Description: restore (and save) ipset state
### END INIT INFO
# Source function library
. /etc/init.d/functions
STATE_FILE=/etc/sysconfig/ipset-state
# only usable by root
[ $EUID = 0 ] || exit 4
if [ ! -x /usr/sbin/ipset ]; then
echo -n "ipset-state: /usr/sbin/ipset does not exist."; warning; echo
exit 4
fi
start() {
touch /var/lock/subsys/ipset-state
# Warn if sets already exist
if [ -n "`/usr/sbin/ipset list -name`" ]; then
echo -n "ipset-state: IP sets already exist."; warning; echo
fi
# Warn if there is no config file
if [ ! -f "$STATE_FILE" ]; then
echo -n "ipset-state: No saved IP set state to restore."; warning; echo
return 0
fi
echo -n "ipset-state: Loading saved IP set state: "
/usr/sbin/ipset -exist restore < "$STATE_FILE"
ret=$?
[ $ret -eq 0 ] && success || failure
echo
return $ret
}
save() {
echo -n "ipset-state: Saving IP set state: "
/usr/sbin/ipset save > "$STATE_FILE"
ret=$?
[ $ret -eq 0 ] && success || failure
echo
return $ret
}
stop() {
save
ret=$?
rm -f /var/lock/subsys/ipset-state
return $ret
}
status() {
echo "ipset-state: IP sets:"
/usr/sbin/ipset list -name | /bin/sed 's/^/ /'
if [ -f /var/lock/subsys/ipset-state ]; then
echo "ipset-state: Subsystem locked."
return 0
else
echo "ipset-state: Subsystem NOT locked."
return 3
fi
}
restart() {
echo -n "ipset-state: Flushing all IP sets: "
/usr/sbin/ipset flush && success || failure
echo
echo -n "ipset-state: Destroying all IP sets: "
/usr/sbin/ipset -quiet destroy && success || failure
echo
start
return $?
}
case "$1" in
start)
[ -f /var/lock/subsys/ipset-state ] && exit 0
start
RETVAL=$?
;;
stop)
stop
RETVAL=$?
;;
restart|reload|force-reload)
restart
RETVAL=$?
;;
condrestart|try-restart)
[ ! -f /var/lock/subsys/ipset-state ] && exit 0
restart
RETVAL=$?
;;
status)
status
RETVAL=$?
;;
save)
save
RETVAL=$?
;;
*)
echo "Usage: ipt-state {start|stop|restart|condrestart|status|save}"
RETVAL=2
;;
esac
exit $RETVAL
_______________________________________________
CentOS mailing list
CentOS@centos.org
http://lists.centos.org/mailman/listinfo/centos
