48 lines
2.3 KiB
Plaintext
48 lines
2.3 KiB
Plaintext
README for /etc/sysconfig/ipset
|
|
-------------------------------
|
|
|
|
ipset does not have a nice way like iptables-restore to restore them and before iptables loads the sets must be loaded already, otherwise iptables-restore will fail to restore the firewall settings.
|
|
|
|
Thus there are some tricks used to allow safe update of ipsets.
|
|
|
|
|
|
If you want to...
|
|
|
|
... add a net to an existing ip set:
|
|
1. Lookup the name of the existing ip set (e.g. transit_IPv4) and add _tmp to it: transit_IPv4_tmp
|
|
2. Add a line similar to the following to /etc/sysconfig/ipset:
|
|
add transit_IPv4_tmp 185.117.213.0/24
|
|
3. Run the following command (this restarts iptables):
|
|
# systemctl restart ipset
|
|
4. Run the following command to verify that the net has been added, but use the real name of the set:
|
|
# ipset list transit_IPv4
|
|
You're done.
|
|
|
|
|
|
... create a new ip set:
|
|
1. Think of a new sensible name (e.g. reserved_IPv4)
|
|
2. If the structure of the set is exactly the same as an existing set, you can skip to step 3 and just copy the lines from an existing set, otherwise:
|
|
a. Use "ipset create" (man ipset) to create the set and "ipset add" to add one entry
|
|
b. Run "ipset save" (displays to stdout) and copy the lines to create your new set and add the first entry
|
|
3. Update /etc/systemd/system/ipset.service...
|
|
a. by adding a new line (obviously use the name of your set and add "family inet6" if it's IPv6):
|
|
ExecStartPre=-/sbin/ipset create reserved_IPv4 hash:net
|
|
b. and adding a new line with the name of your set with an added _tmp at the end:
|
|
ExecStartPre=-/sbin/ipset destroy reserved_IPv4_tmp
|
|
c. Run the following command:
|
|
# systemctl daemon-reload
|
|
4. Update /etc/sysconfig/ipset...
|
|
a. by adding a create line for your set with an added _tmp at the end:
|
|
create reserved_IPv4_tmp hash:net family inet hashsize 1024 maxelem 65536 counters
|
|
b. by adding the add line for your set with an added _tmp at the end:
|
|
add reserved_IPv4_tmp 240.0.0.0/4
|
|
c. by adding a swap line for your set first with an added _tmp then without the _tmp:
|
|
swap reserved_IPv4_tmp reserved_IPv4
|
|
d. by adding a destroy line for the set with _tmp at the end:
|
|
destroy reserved_IPv4_tmp
|
|
5. Run the following command (this restarts iptables):
|
|
# systemctl restart ipset
|
|
6. Run the following command to verify that the set has been added, but use the real name of the set:
|
|
# ipset list transit_IPv4
|
|
You're done.
|