I've confirmed it's a service ordering issue. If I include these lines in /etc/network/interfaces pre-up ipset restore -! < /etc/ipset/ipset.rules up /usr/share/netfilter-persistent/plugins.d/25-ip6tables restart then ip6tables loads without issue. I'm not super experienced with upstart and service ordering etc... Can someone tell me if there's a better more elegant way to make use of ipset and netfilter-persistent so that both ipset and ip(x)tables remain persistent? Or, at least, please confirm that the way I'm doing it above is the only (or best) way. Thanks, Oliver On Mon, Jan 15, 2018 at 4:19 PM, Oliver O'Boyle <oliver.oboyle@xxxxxxxxx> wrote: > Mark, > > I've implemented this by using : > > pre-up ipset restore -! < /etc/ipset/ipset.rules > post-down ipset-save -file /etc/ipset/ipset.rules > > ipset rules appear with sudo ipset -L after a reboot. So all looks good there. > > However, sudo ip6tables -L still shows default rules. I'm using > iptables-persistent for iptables persistence. Do you know when > iptables-persistent is run? It looks like it's being called before the > interface is in pre-up and so it's still not able to find ipset rules. > > Oliver > > On Mon, Jan 15, 2018 at 3:36 AM, Mark Coetser <mark@xxxxxxxxxxxx> wrote: >> >> On 12/01/2018 23:20, Oliver O'Boyle wrote: >>> >>> Hello, >>> >>> Just started using IPSet on Ubuntu 16.04. After reboot, my set >>> disappeared and my ip6tables config vanished, leaving my fw wide open >>> with default rules. OUCH. >>> >>> What's the proper way to do IPSet persistence on Ubuntu 16.04? >>> >>> Oliver >>> >> >> either create a script that you call from /etc/network/interfaces ie >> >> up /full/path/script >> >> that has your ipset commands >> >> or just put the ipset stuff into interfaces file >> >> auto eth0 >> iface eth0 inet static >> address x.x.x.x >> netmask x.x.x.x >> up ipset xxxxxx >> up ipset xxxxxx >> >> >> -- >> Thank you, >> >> Mark Adrian Coetser >> mark@xxxxxxxxxxxx >> >> What causes the mysterious death of everyone? > > > > -- > :o@> -- :o@> -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
