network: increase maxelem of the ipsets

setup/start/cloudron-firewall.sh

@@ -18,22 +18,26 @@ function ipxtables() {
 ipxtables -t filter -N CLOUDRON || true
 ipxtables -t filter -F CLOUDRON # empty any existing rules
 
-# first setup any user IP block lists
-ipset create cloudron_blocklist hash:net || true
-ipset create cloudron_blocklist6 hash:net family inet6 || true
+# first setup any user IP block lists . remove all references in iptables before destroying them
+echo "==> Creating ipset cloudron_blocklist"
+$iptables -t filter -D DOCKER-USER -m set --match-set cloudron_blocklist src -j DROP || true
+sleep 1 # without this there is a race that iptables is still referencing the ipset
+ipset destroy cloudron_blocklist  || true
+ipset create cloudron_blocklist hash:net maxelem 262144 || true # if you change the size, change network.js size check
+
+echo "==> Creating ipset cloudron_blocklist6"
+$ip6tables -D FORWARD -m set --match-set cloudron_blocklist6 src -j DROP || true
+sleep 1 # without this there is a race that iptables is still referencing the ipset
+ipset destroy cloudron_blocklist6 || true
+ipset create cloudron_blocklist6 hash:net family inet6 maxelem 262144 || true  # if you change the size, change network.js size check
 
 /home/yellowtent/box/src/scripts/setblocklist.sh
 
 $iptables -t filter -A CLOUDRON -m set --match-set cloudron_blocklist src -j DROP
-# the DOCKER-USER chain is not cleared on docker restart
-if ! $iptables -t filter -C DOCKER-USER -m set --match-set cloudron_blocklist src -j DROP; then
-    $iptables -t filter -I DOCKER-USER 1 -m set --match-set cloudron_blocklist src -j DROP
-fi
+$iptables -t filter -I DOCKER-USER 1 -m set --match-set cloudron_blocklist src -j DROP # the DOCKER-USER chain is not cleared on docker restart
 
 $ip6tables -t filter -A CLOUDRON -m set --match-set cloudron_blocklist6 src -j DROP
-# there is no DOCKER-USER chain in ip6tables, bug?
-$ip6tables -D FORWARD -m set --match-set cloudron_blocklist6 src -j DROP || true
-$ip6tables -I FORWARD 1 -m set --match-set cloudron_blocklist6 src -j DROP
+$ip6tables -I FORWARD 1 -m set --match-set cloudron_blocklist6 src -j DROP # there is no DOCKER-USER chain in ip6tables, bug?
 
 # allow related and establisted connections
 ipxtables -t filter -A CLOUDRON -m state --state RELATED,ESTABLISHED -j ACCEPT
@@ -54,10 +58,16 @@ if allowed_udp_ports=$(node -e "console.log(JSON.parse(fs.readFileSync('${ports_
 fi
 
 # LDAP user directory allow list
-ipset create cloudron_ldap_allowlist hash:net || true
+if ! ipset list cloudron_ldap_allowlist >/dev/null 2>&1; then
+    echo "==> Creating the cloudron_ldap_allowlist ipset"
+    ipset create cloudron_ldap_allowlist hash:net
+fi
 ipset flush cloudron_ldap_allowlist
 
-ipset create cloudron_ldap_allowlist6 hash:net family inet6 || true
+if ! ipset list cloudron_ldap_allowlist6 >/dev/null 2>&1; then
+    echo "==> Creating the cloudron_ldap_allowlist6 ipset"
+    ipset create cloudron_ldap_allowlist6 hash:net family inet6
+fi
 ipset flush cloudron_ldap_allowlist6
 
 ldap_allowlist_json="/home/yellowtent/platformdata/firewall/ldap_allowlist.txt"