https://bugzilla.novell.com/show_bug.cgi?id=462482 User lnussel@novell.com added comment https://bugzilla.novell.com/show_bug.cgi?id=462482#c5 --- Comment #5 from Ludwig Nussel <lnussel@novell.com> 2009-01-08 01:05:38 MST --- (In reply to comment #4 from Jan Engelhardt)
I think that, if there is a reason iptables-restore fails, then the manual commands will also fail at some point and leave the ruleset in a state which may lock out the user, at which point iptables-restore seems to be the better solution which does an atomic restore --- if this atomic restore fails, the previous ruleset will be used, which is either 1. empty chains all with policy of ACCEPT. 2. the minimal ruleset installed by SuSEfirewall2_init (the first stage thing) How's that sound?
Typically iptables doesn't fail on the crucial rules but rather on individual ones where users made a mistake in /etc/sysconfig/SuSEfirewall2. Such as typos in IP addresses or port numbers or using features that are only available for IPv4 and then some ip6tables call fails (like e.g. using ipt_recent). So it's ok to deploy all working rules and only omit the faulty ones. -- Configure bugmail: https://bugzilla.novell.com/userprefs.cgi?tab=email ------- You are receiving this mail because: ------- You are on the CC list for the bug.