Use interface name instead of index during early boot.

Author: gizmoguy

debian/bearwall2.bearwall2-early.service

@@ -6,7 +6,7 @@ Wants=network-pre.target
 [Service]
 Type=oneshot
 RemainAfterExit=no
-ExecStart=/usr/sbin/bearwall2
+ExecStart=/usr/sbin/bearwall2 --early
 
 [Install]
 WantedBy=multi-user.target

src/bearwall2.in

@@ -39,6 +39,9 @@ while [ ! $# -eq 0 ]; do
 			fi
 			MODE="try"
 			;;
+		-e | --early | early)
+			MODE="early"
+			;;
 		-r | --rollback | rollback)
 			if [ "${2}" ]; then
 				ROLLBACK_DELAY=${2}
@@ -66,6 +69,7 @@ while [ ! $# -eq 0 ]; do
 			echo ""
 			echo "Options:"
 			echo "	* -t|--try [time]	Temporarily apply firewall rules, if not committed, automatically rollback"
+			echo "	* -e|--early		Run in mode suitable for use early in the system boot process"
 			echo "	* -c|--commit		Apply firewall rules from try command permanently"
 			echo "	* -r|--rollback		Rollback firewall rules applied by try command immediately"
 			echo "	* -h|--help		Display help"

support/firewall.functions

@@ -278,6 +278,13 @@ function nft(){
 		return 0
 	fi
 
+	if [ "${MODE}" == "early" ]; then
+		# In early mode, not all interfaces may exist yet
+		# so rewrite nft rules to look up interfaces by name, rather than by index
+		rule=$(echo "${rule}" | sed -E "s/(^| )oif /oifname /")
+		rule=$(echo "${rule}" | sed -E "s/(^| )iif /iifname /")
+	fi
+
 	split_rule_by_terminal_statement "${rule}"
 
 	# Add counter to rule if counters are enabled