On 30.04.2013 13:55, Adam Gensler wrote: > I noticed the following message when restarting the fw on trunk: > > Warning: Unable to locate ipset utility, disabling ipset support > > So, I decided to poke around the fw3 source code on gitweb here: > http://nbd.name/gitweb.cgi?p=firewall3.git;a=summary > > I see there's an ipsets.c and ipsets.h in here. Unfortunately the > wiki doesn't have any content on the ipsets support here. I've been > using ipsets in firewall.user for a while now, it would be nice to > get the same support natively in /etc/config/firewall. > > Is there an example of how to create and populate an ipset some place > using /etc/config/firewall?
Right now there is support for declaring ipsets but no mechanism to populate them (from within uci) - however you can do that from within a firewall include. An ipset can be declared like this: -- 8< -- config ipset option name 'test_set' option match 'src_ip dest_port dest_net' option family 'IPv6' -- >8 -- Which translates to: ipset create test_set hash:ip,port,net family inet6 A rule referencing a set could look like this: -- 8< -- config rule option src 'lan' option dest 'wan' option ipset 'test_set' option target 'DROP' -- >8 -- It would translate to: ip6tables -A zone_lan_forward -m set --match-set test_set src,dst,dst -p 6 -j zone_wan_dest_DROP ip6tables -A zone_lan_forward -m set --match-set test_set src,dst,dst -p 17 -j zone_wan_dest_DROP It is also possible to reference previously created ipsets like this: -- 8< -- config ipset option name 'another_set' option external 'real_set_name' option match 'src_ip dest_port dest_net' -- >8 -- ... this is mainly useful to map different directions to the same ipset like in the example below: -- 8< -- config ipset option name 'spammer' option match 'src_ip dest_port dest_net' config ipset option name 'spammer_inverse' option external 'spammer' option match 'dest_ip src_port src_net' -- >8 -- So when you reference them, option ipset 'spammer' maps to: -m set --match-set spammer src,dst,dst while 'spammer_inverse' would map to: -m set --match-set spammer dst,src,src Only ipsets without an "external" option are created by the firewall program, the rest is merely referenced. There is no real "uci way" to populate ipsets yet as I am unsure how useful that would be since in most complex scenarios the sets are supposed to get populated by scripts - but I am open to suggestions. Regards, Jow _______________________________________________ openwrt-devel mailing list openwrt-devel@lists.openwrt.org https://lists.openwrt.org/mailman/listinfo/openwrt-devel
