update-firewall.sh: COMMIT empty iptables rule files.

1 files changed, 1 insertions, 0 deletions

diff --git a/roles/common/files/usr/local/sbin/update-firewall.sh b/roles/common/files/usr/local/sbin/update-firewall.sh
index d5e2238..7ca9bab 100755
--- a/roles/common/files/usr/local/sbin/update-firewall.sh
+++ b/roles/common/files/usr/local/sbin/update-firewall.sh
@@ -165,40 +165,41 @@ run() {
     for table in ${tables[$f]}; do
         $ipt-save -ct $table
     done > "$old"
     rss[$f]="$old"
 
     local fail2ban=0
     # XXX: As of Wheezy, fail2ban is IPv4 only.  See
     #      https://github.com/fail2ban/fail2ban/issues/39 for the current
     #      state of the art.
     if [ "$f" = 4 ] && which /usr/bin/fail2ban-server >/dev/null; then
         fail2ban=1
     fi
 
     # The usual chains in filter, along with the desired default policies.
     ipt-chains filter INPUT:DROP FORWARD:DROP OUTPUT:DROP
 
     if [ ! "$if" ]; then
         # If the interface is not configured, we stop here and DROP all
         # packets by default.  Thanks to the pre-up hook this tight
         # policy will be activated whenever the interface goes up.
+        commit
         mv "$new" /etc/iptables/rules.v$f
         return 0
     fi
 
     # Fail2ban-specific chains and traps
     if [ $fail2ban -eq 1 ]; then
         echo ":fail2ban - [0:0]"
         # Don't remove existing rules & traps in the current rulest
         grep    -- '^:fail2ban-\S'      "$old" || true
         grep -E -- ' -j fail2ban-\S+$'  "$old" || true
         grep -E -- "$fail2ban_re"       "$old" || true
     fi >> "$new"
 
     if [ "$f" = 4 -a "$ipsec" = y ]; then
         # Our IPSec tunnels are IPv4 only.
         # (Host-to-host) IPSec tunnels come first.
         grep -E -- "$IPSec_re" "$old" >> "$new" || true
 
         # Allow any IPsec $secproto protocol packets to be sent and received.
         iptables -A INPUT  -i $if -p $secproto -j ACCEPT