From: Stefan Schantl <stefan.schantl@ipfire.org>
Date: Fri, 14 Apr 2023 16:32:54 +0000 (+0200)
Subject: rules.pl: Avoid creating iptables rules if the corresponding blocklist is not loaded
X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=fe4b7fee694c25184ff09ffbc829d0c67b603cc2;p=people%2Fstevee%2Fipfire-2.x.git

rules.pl: Avoid creating iptables rules if the corresponding blocklist is not loaded

In case a blocklist is empty after de-duplication of the entries, it
would not be loaded. In such a case we also can skip creating any
iptables rules for this list.

This avoids us checking against an empty list and therefore saves a few cpu cycles.

Signed-off-by: Stefan Schantl <stefan.schantl@ipfire.org>
---

diff --git a/config/firewall/rules.pl b/config/firewall/rules.pl
index 24a5c6b2c..7da47ed6a 100644
--- a/config/firewall/rules.pl
+++ b/config/firewall/rules.pl
@@ -750,8 +750,8 @@ sub ipblocklist () {
 	foreach my $blocklist (@blocklists) {
 		# Check if the blocklist feature and the current processed blocklist is enabled.
 		if(($blocklistsettings{'ENABLE'} eq "on") && ($blocklistsettings{$blocklist}) && ($blocklistsettings{$blocklist} eq "on")) {
-			# Call function to load the blocklist.
-			&ipset_restore($blocklist);
+			# Skip the blocklist if the set does not exist.
+			next unless(&IPSet::Functions::ipset_exists($blocklist));
 
 			# Call function to check if the corresponding iptables drop chain already has been created.
 			if(&firewall_chain_exists("${blocklist}_DROP")) {