ipset service should be executed before iptables

Makefile

-all:
+all: ipset-service
 	$(MAKE) -C ../linux source
 	tar xf ipset-7.11.tar.bz2
 	cd ipset-7.11 && ./configure --prefix=/usr
 	$(MAKE) -C ipset-7.11
 	$(MAKE) -C ipset-7.11 check
 	$(MAKE) -C ipset-7.11 install
+	@echo "$$IPSET_SERVICE" > /lib/systemd/system/ipset.service
+	systemctl enable ipset.service
+	install -v -D -m755 ipset /etc/systemd/scripts/ipset
 	rm -rf ipset-7.11
 	$(MAKE) -C ../linux clean
+
+ipset-service:
+define IPSET_SERVICE
+[Unit]
+Description=Load Ipset Rules
+ConditionFileIsExecutable=/etc/systemd/scripts/ipset
+After=network.target
+Before=iptables.service
+
+[Service]
+Type=forking
+ExecStart=/etc/systemd/scripts/ipset
+TimeoutSec=0
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
+endef
+export IPSET_SERVICE

ipset

+#!/bin/sh
+
+# Begin /etc/systemd/scripts/ipset
+
+ipset restore -! < /etc/ipset
+
+# End /etc/systemd/scripts/ipset