Run update-ipset before load_firewall

The ipsets must already exist when they are referenced in iptables rules.

Run update-ipset before load_firewall
2a886773 · ale · 925efac2 · 2a886773 · 2a886773
Commit 2a886773 authored 1 year ago by ale
--- a/Makefile
+++ b/Makefile
@@ -7,11 +7,12 @@ sharedir = $(prefix)/share/firewall
 INSTALL = install
 TABLES = filter nat mangle raw

-all:
+all: update-firewall

 clean:
+	-rm -f update-firewall

-install:
+install: all
 	$(INSTALL) -d $(DESTDIR)$(sbindir)
 	$(INSTALL) -d $(DESTDIR)$(sharedir)
 	$(INSTALL) -d $(DESTDIR)$(fwconfdir)
@@ -34,3 +35,6 @@ install:
 	    $(INSTALL) -d $(DESTDIR)$(fwconfdir)/blocked/$$type/$$proto ; \
 	  done ; \
 	done)
+
+%: %.in
+	sed -e s,@PREFIX@,$(prefix),g -e s,@FWCONFDIR@,$(fwconfdir),g $< > $@
--- a/update-firewall
+++ b/update-firewall
 #!/bin/bash

 # Directory containing the configuration snippets.
-CONFIG_DIR="${CONFIG_DIR:-/etc/firewall}"
+CONFIG_DIR="${CONFIG_DIR:-@FWCONFDIR@}"

 # List of tables to manage.
 TABLES="filter nat mangle raw"
@@ -238,7 +238,16 @@ while [ $# -gt 0 ]; do
    shift
 done

+# We need to run update-ipset first, so that we can reference the sets
+# from iptables "-m set" rules.
+if [ -x @PREFIX@/sbin/update-ipset ]; then
+    @PREFIX@/sbin/update-ipset
+    if [ $? -gt 0 ]; then
+        echo "update-ipset failed, aborting..." >&2
+        exit 1
+    fi
+fi
+
 load_firewall

-# Execute update-ipset next.
-exec /usr/sbin/update-ipset
+exit 0