Verified Commit e7b669ff authored by Karel Koci's avatar Karel Koci 🤘
Browse files

sentinel-dynfw-client: fix race condition causing error and missing rule

On package installation the uci_default is run before service start.
As the last step in uci_default the Firewall is reloaded but rule inject
fails due to missing ipset.
In normal operation the sentinel-dynfw-client is started before firewall
but during installation this can't be done.

The solution is to just create ipset anytime we start firewall. This
makes it so rules is always added and it really doesn't matter who
creates the ipset. With this either sentinel-dynfw-client creates it or
firewall, which ever comes first.
parent 69dae460
......@@ -9,7 +9,7 @@ include $(TOPDIR)/
......@@ -3,6 +3,10 @@ set -e
. "${0%/*}/"
. /lib/
# Always create IP set to prevent iptables error about missing ipset.
ipset create "$IPSET" hash:ip -exist
dynfw_block() {
local config_section="$1"
......@@ -22,7 +26,7 @@ dynfw_block() {
[ "${chain}" == "input" ] && bypass_mark="-m mark ! --mark 0x10/0x10"
iptables_drop "${zone}" "${chain}" \
-m set --match-set 'turris-sn-dynfw-block' src \
-m set --match-set "$IPSET" src \
${bypass_mark} \
-m conntrack --ctstate NEW \
-m comment --comment "!sentinel: dynamic firewall block"
Markdown is supported
0% or .
You are about to add 0 people to the discussion. Proceed with caution.
Finish editing this message first!
Please register or to comment