This post is an update to the blog posted here. I believe I have a working solution for the apf service to fail, if apf doesn’t start correctly:
/etc/systemd/system/apf.service:
[Unit]
Description=apf firewall with iptables
After=syslog.target network.target
[Service]
Type=oneshot
RemainAfterExit=true
ExecStart=/usr/local/sbin/apf-start.sh
ExecStop=/usr/local/sbin/apf --stop
[Install]
WantedBy=basic.target
/usr/local/sbin/apf-start.sh:
#!/bin/bash
/usr/local/sbin/apf --start &> /tmp/check-apf
if egrep 'unable to load iptables module|timed out while attempting to gain lock|could not process allow_hosts|could not process deny_hosts|apf does not appear to have rules loaded|could not verify that interface|trust rules unchanged since last refresh' /tmp/check-apf; then
/usr/local/sbin/apf --stop
echo "APF Aborted"
exit 1
else
echo "All ok"
fi
exit 0
From looking at /etc/apf/internals/functions.apf, the egrep should cover all possible errors. If anyone thinks I’ve missed any, please feel free to let me know.
I have confirmed results in systemd failure by changing un-trusted interface to a interface which doesn’t exist on my system.
I’ve updated the issue for this on rfxn’s github.
Thanks Tom.
P.S Please feel free to comment.