fix firehol startup at boot; fixes #260

2024-06-27 09:28:18 +00:00 · 2017-09-19 01:23:17 +03:00 · 2017-09-19 01:23:17 +03:00 · a613c9f486
commit a613c9f486
parent 63c6785fa6
2 changed files with 37 additions and 7 deletions
--- a/contrib/firehol.service
+++ b/contrib/firehol.service
@ -2,11 +2,22 @@
 Description=Firehol stateful packet filtering firewall for humans
 Documentation=man:firehol(1) man:firehol.conf(5)

+DefaultDependencies=no
+
+Before=network-pre.target
+Wants=network-pre.target
+
+Wants=systemd-modules-load.service local-fs.target
+After=systemd-modules-load.service local-fs.target
+
+Conflicts=shutdown.target
+Before=shutdown.target
+
 [Service]
 Type=oneshot
+RemainAfterExit=yes
 ExecStart=/usr/sbin/firehol start
 ExecStop=/usr/sbin/firehol stop
-RemainAfterExit=yes

 [Install]
 WantedBy=multi-user.target
--- a/sbin/firehol
+++ b/sbin/firehol
@ -965,7 +965,7 @@ ${RENICE_CMD} 10 $$ >/dev/null 2>/dev/null
 # Initialize iptables
 if [ $ENABLE_IPV4 -eq 1 ]
 then
-	${IPTABLES_CMD} -nxvL >/dev/null 2>&1
+	${IPTABLES_CMD} -wnxvL >/dev/null 2>&1
 	if [ $? -ne 0 ]
 	then
 		echo >&2 " WARNING: error initializing iptables: IPv4 disabled"
@ -975,7 +975,7 @@ fi

 if [ $ENABLE_IPV6 -eq 1 ]
 then
-	${IP6TABLES_CMD} -nxvL >/dev/null 2>&1
+	${IP6TABLES_CMD} -wnxvL >/dev/null 2>&1
 	if [ $? -ne 0 ]
 	then
 		echo >&2 " WARNING: error initializing ip6tables: IPv6 disabled"
@ -1386,16 +1386,30 @@ $CAT_CMD >&20 <<'EOFMTL'

 # a function to help us save a value to a file
 postprocess_echo_to() { echo "${1}" >"${2}"; }
+postprocess_wait_netfilter() {
+	echo >&2 "checking if netfilter is ready..."
+	maxwait=60
+	waiting=0
+	while [ ! -f /proc/sys/net/netfilter/nf_conntrack_max -a ${waiting} -le ${maxwait} ]
+	do
+		echo >&2 "netfilter is not ready; waiting ${waiting} of ${maxwait}"
+		sleep 1
+		waiting=$(( waiting + 1 ))
+	done
+	[ ${waiting} -gt ${maxwait} ] && return 1
+	return 0
+}

 EOFMTL

+# source it to have the functions available here too
+# we need these for sourcing our output file
+source "${FIREHOL_DIR}/firewall_restore_commands.sh"
+
 # prepare the file that will hold the generated iptables commands
 # when FAST_ACTIVATION is zero
 file open 21 "${FIREHOL_OUTPUT}" w || exit 1

-# we need this for sourcing our output file
-postprocess_echo_to() { echo "${1}" >"${2}"; }
-
 # Make sure we have a directory for our data.
 if [ ! -d "${FIREHOL_SPOOL_DIR}" ]
 then
@ -6525,7 +6539,12 @@ close_master() {
 	# execute all postprocessing commands for this firewall

 	if [ ${FIREHOL_ROUTING} -eq 1 ]; then postprocess -warn ${SYSCTL_CMD} -w "net.ipv4.ip_forward=1" || return 1; fi
-	
+
+	# netfilter delays the creation of files under /proc/sys/net/netfilter
+	# so, we wait for them to be available
+	# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864341#30
+	postprocess -warn postprocess_wait_netfilter
+
 	if [ "${FIREHOL_CONNTRACK_HELPERS_ASSIGNMENT}" = "kernel" ]
 	then
 		if [ -f /proc/sys/net/netfilter/nf_conntrack_helper ]