--- /dev/null
+diff --git a/init.d/iptables-persistent b/init.d/iptables-persistent
+index 13c704d..de6ba13 100755
+--- a/init.d/iptables-persistent
++++ b/init.d/iptables-persistent
+@@ -10,9 +10,55 @@
+ # Short-Description: Set up iptables rules
+ ### END INIT INFO
+
++ipset_restore()
++{
++ local f="$1"
++ local cmd=""
++
++ if ! cmd="$(which ipset)"; then
++ return 0
++ fi
++ ipset -R < "$f" 2> /dev/null
++}
++
++ipset_flush()
++{
++ local cmd=""
++
++ if ! cmd="$(which ipset)"; then
++ return 0
++ fi
++ # First, i need to flush 'setlist' sets, otherwise destroy will fail,
++ # because some sets may have references (from 'setlist' sets),
++ ipset -F
++ ipset -X
++}
++
++flush_rules()
++{
++ if [ -f /proc/net/ip_tables_names -a -x /sbin/iptables ]; then
++ for param in F Z X; do /sbin/iptables -$param; done
++ for table in $(cat /proc/net/ip_tables_names)
++ do
++ /sbin/iptables -t $table -F
++ /sbin/iptables -t $table -Z
++ /sbin/iptables -t $table -X
++ done
++ for chain in INPUT FORWARD OUTPUT
++ do
++ /sbin/iptables -P $chain ACCEPT
++ done
++ fi
++
++ ipset_flush
++}
++
++
+ case "$1" in
+ start)
+ if [ -f /etc/iptables/rules ]; then
++ flush_rules
++ ipset_restore /etc/iptables/ipsets
+ iptables-restore </etc/iptables/rules
+ fi
+ ;;
--- /dev/null
+--- iptables-persistent 2014-05-13 11:11:24.284541709 +0400
++++ iptables-persistent.new 2014-08-18 23:29:15.466662767 +0400
+@@ -8,8 +8,8 @@
+ # Provides: iptables-persistent
+ # Required-Start: mountkernfs $local_fs
+ # Required-Stop: $local_fs
+-# Default-Start: S
+-# Default-Stop:
++# Default-Start: 2 3 4 5
++# Default-Stop: 0 1 6
+ # X-Start-Before: $network
+ # X-Stop-After: $network
+ # Short-Description: Set up iptables rules
+@@ -21,15 +21,54 @@
+
+ rc=0
+
++ipset_save()
++{
++ local f="$1"
++ local cmd=""
++
++ if ! cmd="$(which ipset)"; then
++ log_action_cont_msg "ipset not found, skipping saving ipset."
++ return 0
++ fi
++ ipset save > "$f"
++}
++
++ipset_restore()
++{
++ local f="$1"
++ local cmd=""
++
++ if ! cmd="$(which ipset)"; then
++ log_action_cont_msg "ipset not found, skipping restoring ipset."
++ return 0
++ fi
++ ipset restore < "$f" 2> /dev/null
++}
++
++ipset_flush()
++{
++ local cmd=""
++
++ if ! cmd="$(which ipset)"; then
++ log_action_cont_msg "ipset not found, skipping flushing ipset."
++ return 0
++ fi
++ ipset destroy
++}
++
+ load_rules()
+ {
+ log_action_begin_msg "Loading iptables rules"
+
++ ipset_restore /etc/iptables/ipsets
+ #load IPv4 rules
+ if [ ! -f /etc/iptables/rules.v4 ]; then
+ log_action_cont_msg " skipping IPv4 (no rules to load)"
+ else
+ log_action_cont_msg " IPv4"
++ if [ $? -ne 0 ]; then
++ rc=1
++ fi
+ iptables-restore < /etc/iptables/rules.v4 2> /dev/null
+ if [ $? -ne 0 ]; then
+ rc=1
+@@ -41,6 +80,9 @@
+ log_action_cont_msg " skipping IPv6 (no rules to load)"
+ else
+ log_action_cont_msg " IPv6"
++ if [ $? -ne 0 ]; then
++ rc=1
++ fi
+ ip6tables-restore < /etc/iptables/rules.v6 2> /dev/null
+ if [ $? -ne 0 ]; then
+ rc=1
+@@ -54,6 +96,7 @@
+ {
+ log_action_begin_msg "Saving rules"
+
++ ipset_save /etc/iptables/ipsets
+ #save IPv4 rules
+ #need at least iptable_filter loaded:
+ /sbin/modprobe -q iptable_filter
+@@ -61,6 +104,9 @@
+ log_action_cont_msg " skipping IPv4 (no modules loaded)"
+ elif [ -x /sbin/iptables-save ]; then
+ log_action_cont_msg " IPv4"
++ if [ $? -ne 0 ]; then
++ rc=1
++ fi
+ iptables-save > /etc/iptables/rules.v4
+ if [ $? -ne 0 ]; then
+ rc=1
+@@ -74,6 +120,9 @@
+ log_action_cont_msg " skipping IPv6 (no modules loaded)"
+ elif [ -x /sbin/ip6tables-save ]; then
+ log_action_cont_msg " IPv6"
++ if [ $? -ne 0 ]; then
++ rc=1
++ fi
+ ip6tables-save > /etc/iptables/rules.v6
+ if [ $? -ne 0 ]; then
+ rc=1
+@@ -121,6 +170,8 @@
+ done
+ fi
+
++ ipset_flush
++
+ log_action_end_msg 0
+ }
+
projects / iptables.git / commitdiff