[Firewall] restore ipset config during startup, before restoring iptables rules

Lupul · Lupul · commit 695144ef7217 · 2020-05-21T18:57:05.000+03:00
diff --git a/bin/v-update-firewall b/bin/v-update-firewall
@@ -179,6 +179,8 @@ else
             IFS='%'
             echo '#!/bin/bash' > $preup
             echo '' >> $preup
+            echo "${HESTIA}/bin/v-update-firewall-ipset" >> $preup
+            echo '' >> $preup
             echo 'if [ "$IFACE" == "'$(/bin/ip token | awk -F 'dev ' '{print $2}')'" ]; then' >> $preup
             echo '    sleep 3' >> $preup
             echo '    /sbin/iptables-restore < /etc/iptables.rules' >> $preup
@@ -190,6 +192,7 @@ else
         preup="/etc/network/if-pre-up.d/iptables"
         if [ ! -e "$preup" ]; then
             echo '#!/bin/sh' > $preup
+            echo '${HESTIA}/bin/v-update-firewall-ipset' >> $preup
             echo "/sbin/iptables-restore < /etc/iptables.rules" >> $preup
             echo "exit 0" >> $preup
             chmod +x $preup
diff --git a/bin/v-update-firewall-ipset b/bin/v-update-firewall-ipset
@@ -13,6 +13,7 @@
 force=${1:-no}
 
 # Includes
+source /etc/profile.d/hestia.sh
 source $HESTIA/func/main.sh
 source $HESTIA/conf/hestia.conf
 
diff --git a/install/upgrade/versions/latest.sh b/install/upgrade/versions/latest.sh
@@ -38,3 +38,14 @@ if [ -d /usr/share/roundcube ]; then
     sed -i 's/implode($fields, \x27,\x27)/implode(\x27,\x27, $fields)/g' /usr/share/roundcube/program/steps/addressbook/search.inc
     sed -i 's/implode($bstyle, \x27; \x27)/implode(\x27; \x27, $bstyle)/g' /usr/share/roundcube/program/steps/mail/sendmail.inc
 fi
+
+# Remove existing network-up hooks so they get regenerated when updating the firewall
+# - network hook will also restore ipset config during start-up
+if [ -f "/usr/lib/networkd-dispatcher/routable.d/50-ifup-hooks" ]; then
+    rm "/usr/lib/networkd-dispatcher/routable.d/50-ifup-hooks"
+    $BIN/v-update-firewall
+fi
+if [ -f "/etc/network/if-pre-up.d/iptables" ];then
+    rm "/etc/network/if-pre-up.d/iptables"
+    $BIN/v-update-firewall
+fi
