firewall: use extraText for zone set contents

* the lua necessary is quite wordy, but it's less of a hack than
post-processing the rules file with pseudo-sed to get rid of `elements
= { }` lines

* also switch from stop/starting the firewall service to using a
signal, so that we don't go briefly offline every time a new interface
appears

tests/pppoe/getaddress.expect

@@ -8,29 +8,39 @@ send "PS1=\$(echo 'I1JFQURZIyA=' | base64 -d); stty -echo\n"
 expect "#READY#"
 set FINISHED 0
 set EXIT "1" 
-while { $FINISHED < 10 } {
+while { $FINISHED < 20 } {
   send "ip address show dev ppp0 | grep ppp0\n"
   expect {
-    "192.168.100.1" { set FINISHED 20; set EXIT 0; }
+    "192.168.100.1" { set FINISHED 200; set EXIT 0; }
     "can't find device" { send_user "waiting ..." ; sleep 3 }
     "DOWN" { send_user "waiting ..." ; sleep 3 }
   }
   set FINISHED [ expr $FINISHED + 1 ]
 }
 expect "#READY#"
-send "nft list set ip table-ip wan || touch /non/existent\n"
-expect {
-  "ppp0" { puts "ppp0 found " }
-  "{ }" { puts "missing ifname"; exit 1 }
-  "No such file or directory" { exit 1 }
-}  
+send "s6-svwait -U /run/service/wan.link.pppoe\n"
 expect "#READY#"
 
+set timeout 30
 send "nft list set ip table-ip lan || touch /non/existent\n"
 expect {
   "lan" { puts "lan found" }
   "{ }" { puts "missing ifname"; exit 1 }
   "No such file or directory" { exit 1 }
 }  
+
 expect "#READY#"
+
+# if the test fails for no apparent reason, it is quite likely because
+# the firewall hasn't had time to reload after the new interface
+# appears and you just have to make this sleep longer. Ew, yes
+send "sleep 10; nft list set ip table-ip wan || touch /non/existent\n"
+expect {
+  "ppp0" { puts "ppp0 found " }
+  "{ }" { puts "missing ifname"; exit 1 }
+  "No such file or directory" { exit 1 }
+  timeout { exit 1 }
+}  
+expect "#READY#"
+
 exit $EXIT