[CentOS] ipset module loaded at startup on CentOS 6.5

Tue Aug 26 03:21:57 UTC 2014
Ian Pilcher <arequipeno at gmail.com>

On 08/10/2014 02:18 PM, Rob Townley wrote:
> Anybody on here successfully get ipset iptables sets to work _after_ a
> reboot?

Here's an init script that I wrote for CentOS 6.  (systemd haters can
take note of how much easier it would have been to write a unit file.)

-- 
========================================================================
Ian Pilcher                                         arequipeno at gmail.com
-------- "I grew up before Mark Zuckerberg invented friendship" --------
========================================================================
-------------- next part --------------
#!/bin/bash
#
# ipset-state	Restore ipset state
#
# chkconfig: 2345 07 93
# description:	Restores (and saves) ipset state
#
# config: /etc/sysconfig/ipset-state
#
### BEGIN INIT INFO
# Provides: ipset-state
# Required-Start:
# Required-Stop:
# Default-Start: 2 3 4 5
# Default-Stop: 0 1 6
# Short-Description: restore (and save) ipset state
# Description: restore (and save) ipset state
### END INIT INFO

# Source function library
. /etc/init.d/functions

STATE_FILE=/etc/sysconfig/ipset-state

# only usable by root
[ $EUID = 0 ] || exit 4

if [ ! -x /usr/sbin/ipset ]; then
    echo -n "ipset-state: /usr/sbin/ipset does not exist."; warning; echo
    exit 4
fi

start() {

    touch /var/lock/subsys/ipset-state

    # Warn if sets already exist
    if [ -n "`/usr/sbin/ipset list -name`" ]; then
	echo -n "ipset-state: IP sets already exist."; warning; echo
    fi

    # Warn if there is no config file
    if [ ! -f "$STATE_FILE" ]; then
	echo -n "ipset-state: No saved IP set state to restore."; warning; echo
	return 0
    fi

    echo -n "ipset-state: Loading saved IP set state: "
    /usr/sbin/ipset -exist restore < "$STATE_FILE"
    ret=$?
    [ $ret -eq 0 ] && success || failure
    echo
    return $ret
}

save() {
    echo -n "ipset-state: Saving IP set state: "
    /usr/sbin/ipset save > "$STATE_FILE"
    ret=$?
    [ $ret -eq 0 ] && success || failure
    echo
    return $ret
}

stop() {
    save
    ret=$?
    rm -f /var/lock/subsys/ipset-state
    return $ret
}

status() {
    echo "ipset-state: IP sets:"
    /usr/sbin/ipset list -name | /bin/sed 's/^/    /'

    if [ -f /var/lock/subsys/ipset-state ]; then
	echo "ipset-state: Subsystem locked."
	return 0
    else
	echo "ipset-state: Subsystem NOT locked."
	return 3
    fi
}

restart() {

    echo -n "ipset-state: Flushing all IP sets: "
    /usr/sbin/ipset flush && success || failure
    echo

    echo -n "ipset-state: Destroying all IP sets: "
    /usr/sbin/ipset -quiet destroy && success || failure
    echo

    start
    return $?
}

case "$1" in
    start)
	[ -f /var/lock/subsys/ipset-state ] && exit 0
	start
	RETVAL=$?
	;;
    stop)
	stop
	RETVAL=$?
	;;
    restart|reload|force-reload)
	restart
	RETVAL=$?
	;;	
    condrestart|try-restart)
	[ ! -f /var/lock/subsys/ipset-state ] && exit 0
	restart
	RETVAL=$?
	;;
    status)
	status
	RETVAL=$?
	;;
    save)
	save
	RETVAL=$?
	;;
    *)
	echo "Usage: ipt-state {start|stop|restart|condrestart|status|save}"
	RETVAL=2
	;;
esac

exit $RETVAL