Permit when firewall stopped when using an ipset for dynamic BL

Signed-off-by: Tom Eastep <teastep@shorewall.net>

Shorewall-core/lib.cli

@@ -2575,15 +2575,21 @@ hits_command() {
     fi
 }
 
+#
+# Issue an error message and terminate if the firewall isn't started
+#
+require_started() {
+    if ! product_is_started; then
+	error_message "ERROR: $g_product is not started"
+	exit 2
+    fi
+}
+
 #
 # 'allow' command executor
 #
 allow_command() {
 
-    [ -n "$g_debugging" ] && set -x
-    [ $# -eq 1 ] && missing_argument
-
-    if product_is_started ; then
     local allowed
     local which
     which='-s'
@@ -2591,8 +2597,10 @@ allow_command() {
     range='--src-range'
     local dynexists
 
-	if [ -n "$g_blacklistipset" ]; then
+    [ -n "$g_debugging" ] && set -x
+    [ $# -eq 1 ] && missing_argument
 
+    if [ -n "$g_blacklistipset" ]; then
 	case ${IPSET:=ipset} in
 	    */*)
 		if [ ! -x "$IPSET" ]; then
@@ -2609,6 +2617,7 @@ allow_command() {
     if chain_exists dynamic; then
 	dynexists=Yes
     elif [ -z "$g_blacklistipset" ]; then
+	require_started
 	fatal_error "Dynamic blacklisting is not enabled in the current $g_product configuration"
     fi
 
@@ -2674,10 +2683,6 @@ allow_command() {
     done
 
     [ -n "$g_nolock" ] || mutex_off
-    else
-	error_message "ERROR: $g_product is not started"
-	exit 2
-    fi
 }
 
 #