This post is an update to the blog posted here. I believe I have a working solution for the apf service to fail, if apf doesn’t start correctly:
Description=apf firewall with iptables
/usr/local/sbin/apf --start &> /tmp/check-apf
if egrep 'unable to load iptables module|timed out while attempting to gain lock|could not process allow_hosts|could not process deny_hosts|apf does not appear to have rules loaded|could not verify that interface|trust rules unchanged since last refresh' /tmp/check-apf; then
echo "APF Aborted"
echo "All ok"
From looking at /etc/apf/internals/functions.apf, the egrep should cover all possible errors. If anyone thinks I’ve missed any, please feel free to let me know.
I have confirmed results in systemd failure by changing un-trusted interface to a interface which doesn’t exist on my system.
I’ve updated the issue for this on rfxn’s github.
P.S Please feel free to comment.