# HG changeset patch
# User Michiel Broek <mbroek@mbse.eu>
# Date 1677421399 -3600
# Node ID 8aaa305805df3fb6a7976f8a7786d69949293052
# Parent  c5697bee68841ee8709c68710baa7f991422ea64
Make sure ipset tables exist.

diff -r c5697bee6884 -r 8aaa305805df etc/firewall.conf
--- a/etc/firewall.conf	Wed Jul 12 22:21:28 2017 +0200
+++ b/etc/firewall.conf	Sun Feb 26 15:23:19 2023 +0100
@@ -1,7 +1,7 @@
 # /etc/mbse-firewall/firewall.conf
 
 # ---------------------------------------------------------------------------
-# Copyright (C) 2013-2015 by Michiel Broek.
+# Copyright (C) 2013-2023 by Michiel Broek.
 # Homepage                   http://www.mbse.eu
 # Email                      mbse At mbse dOt eu
 #
diff -r c5697bee6884 -r 8aaa305805df sbin/mbse-firewall
--- a/sbin/mbse-firewall	Wed Jul 12 22:21:28 2017 +0200
+++ b/sbin/mbse-firewall	Sun Feb 26 15:23:19 2023 +0100
@@ -1,7 +1,7 @@
 #!/bin/bash
 
 # ---------------------------------------------------------------------------
-# Copyright (C) 2013-2017 by Michiel Broek.
+# Copyright (C) 2013-2023 by Michiel Broek.
 # Homepage                   http://www.mbse.eu
 # Email                      mbse At mbse dOt eu
 #
@@ -22,7 +22,7 @@
 # Software Foundation, 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA.
 # ---------------------------------------------------------------------------
 
-MBSEFW_VERSION="0.0.23"
+MBSEFW_VERSION="0.0.25"
 
 # Sanity checks
 if [ "$(id -u)" != "0" ]; then
@@ -278,6 +278,7 @@
 
   # If we use the global blocktables.
   if [ "$IF_EXT_GLOBAL_BLOCK" == "1" ]; then
+    $IPSET create global-blk4 hash:ip counters -exist
     $IPTABLES -A INPUT -i $IF_EXT -m set --match-set global-blk4 src -j DROP
     if [ "$FW_FORWARD" = "1" ]; then
       $IPTABLES -A FORWARD -i $IF_EXT -m set --match-set global-blk4 src -j DROP
@@ -288,6 +289,7 @@
       else
         IF6=$IF_EXT
       fi
+      $IPSET create global-blk6 hash:net family inet6 counters -exist
       $IP6TABLES -A INPUT -i $IF6 -m set --match-set global-blk6 src -j DROP
       if [ "$FW_FORWARD" = "1" ]; then
         $IP6TABLES -A FORWARD -i $IF6 -m set --match-set global-blk6 src -j DROP
@@ -330,8 +332,9 @@
 
   # Anti spoofing on the external interface. Methods since the 3.3 kernel!
   if [ -n "$IF_EXT" ]; then
+    # was 1, now 2 for IPTV.
     for f in $(ls /proc/sys/net/ipv4/conf/*/rp_filter); do
-      echo 1 > $f
+      echo 2 > $f
     done 
     $IPTABLES  -A PREROUTING -t raw -i $IF_EXT -m rpfilter --invert -j DROP
     if [ "$USE_IPV6" == "1" ]; then
@@ -745,7 +748,7 @@
     reset_iptables DROP
     echo -n "."
     fw_init_sysctl
-    $IPSET restore < /etc/mbse-firewall/data/firewall-ipset.data
+    $IPSET restore -exist < /etc/mbse-firewall/data/firewall-ipset.data
     echo " Restored /etc/mbse-firewall/data/firewall-ipset.data" | $LOGGER
     echo -n "."
     $IPTABLES_RESTORE  < /etc/mbse-firewall/data/firewall-ipv4.data
@@ -794,6 +797,12 @@
 
   rm -f /etc/mbse-firewall/data/firewall-ipset.data
   touch /etc/mbse-firewall/data/firewall-ipset.data
+  if [ "$IF_EXT_GLOBAL_BLOCK" == "1" ]; then
+    $IPSET save global-blk4 -t >> /etc/mbse-firewall/data/firewall-ipset.data
+    if [ "$USE_IPV6" == "1" ]; then
+      $IPSET save global-blk6 -t >> /etc/mbse-firewall/data/firewall-ipset.data
+    fi
+  fi
   HOST="$(hostname)"
   SETS="$($IPSET list -n | grep ${HOST})"
   for set in $SETS ; do