Advanced Policy Firewall Systemd – Proper solution.

This post is an update to the blog posted here. I believe I have a working solution for the apf service to fail, if apf doesn’t start correctly:


Description=apf firewall with iptables

ExecStop=/usr/local/sbin/apf --stop



/usr/local/sbin/apf --start &> /tmp/check-apf
if egrep 'unable to load iptables module|timed out while attempting to gain lock|could not process allow_hosts|could not process deny_hosts|apf does not appear to have rules loaded|could not verify that interface|trust rules unchanged since last refresh' /tmp/check-apf; then
     /usr/local/sbin/apf --stop
     echo "APF Aborted"
     exit 1
     echo "All ok"
exit 0

From looking at /etc/apf/internals/functions.apf, the egrep should cover all possible errors. If anyone thinks I’ve missed any, please feel free to let me know.

I have confirmed results in systemd failure by changing un-trusted interface to a interface which doesn’t exist on my system.

I’ve updated the issue for this on rfxn’s github.

Thanks Tom.

P.S Please feel free to comment.

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.