firewall restart fails to load the wan_input_rule for ipset turris-sn-wan-input-block
TOS 3.11.1
After /etc/init.d/firewall restart
the wan_input_rule
for ipset
turris-sn-wan-input-block
is missing/absent.
ipset list turris-sn-wan-input-block
reveals that it is still loaded.
The issue seems '/etc/firewall.d/with_reload/firewall.include.sh' not working as intended:
- Running script '/etc/firewall.d/with_reload/firewall.include.sh'
iptables v1.6.1: Couldn't load match `state':No such file or directory
which appears to be caused by the code in "/etc/firewall.d/with_reload/99_sentinel_dynfw.fw". Deleting that file and those errors from above are gone.
Having then added iptables -I input_wan_rule -m conntrack --ctstate NEW -m set --match-set turris-sn-wan-input-block src -m mark ! --mark 0x10/0x10 -j DROP
(copied from "/etc/init.d/sentinel-dynfw-client") as a fw custom rule the formerly missing wan_input_rule
is now present after a fw restart.