From mboxrd@z Thu Jan  1 00:00:00 1970
From: Stefan Schantl <stefan.schantl@ipfire.org>
To: development@lists.ipfire.org
Subject:
 [PATCH] firewall: Load ipset list before creating rules for DROP_HOSTILE.
Date: Fri, 18 Feb 2022 06:03:51 +0100
Message-ID: <20220218050351.9708-1-stefan.schantl@ipfire.org>
MIME-Version: 1.0
Content-Type: multipart/mixed; boundary="===============0142964256496825982=="
List-Id: <development.lists.ipfire.org>

--===============0142964256496825982==
Content-Type: text/plain; charset="utf-8"
Content-Transfer-Encoding: quoted-printable

Otherwise there is no ipset list use-able and the feature will not work.

Signed-off-by: Stefan Schantl <stefan.schantl(a)ipfire.org>
---
 src/initscripts/system/firewall | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/initscripts/system/firewall b/src/initscripts/system/firewall
index adb2240bb..2ae6157aa 100644
--- a/src/initscripts/system/firewall
+++ b/src/initscripts/system/firewall
@@ -22,6 +22,8 @@ IPS_REPEAT_MASK=3D"0x80000000"
 IPS_BYPASS_MARK=3D"0x40000000"
 IPS_BYPASS_MASK=3D"0x40000000"
=20
+IPSET_DB_DIR=3D"/var/lib/location/ipset"
+
 function iptables() {
 	/sbin/iptables --wait "$@"
 }
@@ -146,6 +148,9 @@ iptables_init() {
 	# a technical threat to our users (i. e. listed at Spamhaus DROP et al.)
 	iptables -N HOSTILE
 	if [ "$DROPHOSTILE" =3D=3D "on" ]; then
+		# Call ipset and load the list which contains the hostile networks.
+		ipset restore < $IPSET_DB_DIR/CC_XD.ipset4
+
 		iptables -A HOSTILE -m limit --limit 10/second -j LOG  --log-prefix "DROP_=
HOSTILE "
 		iptables -A INPUT   -i $IFACE -m set --match-set CC_XD src -j HOSTILE
 		iptables -A FORWARD -i $IFACE -m set --match-set CC_XD src -j HOSTILE
--=20
2.30.2


--===============0142964256496825982==--