mirror of
https://github.com/firehol/firehol.git
synced 2024-06-27 09:28:18 +00:00
fix firehol startup at boot; fixes #260
This commit is contained in:
parent
63c6785fa6
commit
a613c9f486
@ -2,11 +2,22 @@
|
||||
Description=Firehol stateful packet filtering firewall for humans
|
||||
Documentation=man:firehol(1) man:firehol.conf(5)
|
||||
|
||||
DefaultDependencies=no
|
||||
|
||||
Before=network-pre.target
|
||||
Wants=network-pre.target
|
||||
|
||||
Wants=systemd-modules-load.service local-fs.target
|
||||
After=systemd-modules-load.service local-fs.target
|
||||
|
||||
Conflicts=shutdown.target
|
||||
Before=shutdown.target
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
ExecStart=/usr/sbin/firehol start
|
||||
ExecStop=/usr/sbin/firehol stop
|
||||
RemainAfterExit=yes
|
||||
|
||||
[Install]
|
||||
WantedBy=multi-user.target
|
||||
|
31
sbin/firehol
31
sbin/firehol
@ -965,7 +965,7 @@ ${RENICE_CMD} 10 $$ >/dev/null 2>/dev/null
|
||||
# Initialize iptables
|
||||
if [ $ENABLE_IPV4 -eq 1 ]
|
||||
then
|
||||
${IPTABLES_CMD} -nxvL >/dev/null 2>&1
|
||||
${IPTABLES_CMD} -wnxvL >/dev/null 2>&1
|
||||
if [ $? -ne 0 ]
|
||||
then
|
||||
echo >&2 " WARNING: error initializing iptables: IPv4 disabled"
|
||||
@ -975,7 +975,7 @@ fi
|
||||
|
||||
if [ $ENABLE_IPV6 -eq 1 ]
|
||||
then
|
||||
${IP6TABLES_CMD} -nxvL >/dev/null 2>&1
|
||||
${IP6TABLES_CMD} -wnxvL >/dev/null 2>&1
|
||||
if [ $? -ne 0 ]
|
||||
then
|
||||
echo >&2 " WARNING: error initializing ip6tables: IPv6 disabled"
|
||||
@ -1386,16 +1386,30 @@ $CAT_CMD >&20 <<'EOFMTL'
|
||||
|
||||
# a function to help us save a value to a file
|
||||
postprocess_echo_to() { echo "${1}" >"${2}"; }
|
||||
postprocess_wait_netfilter() {
|
||||
echo >&2 "checking if netfilter is ready..."
|
||||
maxwait=60
|
||||
waiting=0
|
||||
while [ ! -f /proc/sys/net/netfilter/nf_conntrack_max -a ${waiting} -le ${maxwait} ]
|
||||
do
|
||||
echo >&2 "netfilter is not ready; waiting ${waiting} of ${maxwait}"
|
||||
sleep 1
|
||||
waiting=$(( waiting + 1 ))
|
||||
done
|
||||
[ ${waiting} -gt ${maxwait} ] && return 1
|
||||
return 0
|
||||
}
|
||||
|
||||
EOFMTL
|
||||
|
||||
# source it to have the functions available here too
|
||||
# we need these for sourcing our output file
|
||||
source "${FIREHOL_DIR}/firewall_restore_commands.sh"
|
||||
|
||||
# prepare the file that will hold the generated iptables commands
|
||||
# when FAST_ACTIVATION is zero
|
||||
file open 21 "${FIREHOL_OUTPUT}" w || exit 1
|
||||
|
||||
# we need this for sourcing our output file
|
||||
postprocess_echo_to() { echo "${1}" >"${2}"; }
|
||||
|
||||
# Make sure we have a directory for our data.
|
||||
if [ ! -d "${FIREHOL_SPOOL_DIR}" ]
|
||||
then
|
||||
@ -6525,7 +6539,12 @@ close_master() {
|
||||
# execute all postprocessing commands for this firewall
|
||||
|
||||
if [ ${FIREHOL_ROUTING} -eq 1 ]; then postprocess -warn ${SYSCTL_CMD} -w "net.ipv4.ip_forward=1" || return 1; fi
|
||||
|
||||
|
||||
# netfilter delays the creation of files under /proc/sys/net/netfilter
|
||||
# so, we wait for them to be available
|
||||
# https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=864341#30
|
||||
postprocess -warn postprocess_wait_netfilter
|
||||
|
||||
if [ "${FIREHOL_CONNTRACK_HELPERS_ASSIGNMENT}" = "kernel" ]
|
||||
then
|
||||
if [ -f /proc/sys/net/netfilter/nf_conntrack_helper ]
|
||||
|
Loading…
Reference in New Issue
Block a user