Citeren Jan Engelhardt <jengelh@inai.de>:
On Thursday 2018-01-25 15:54, Matthias Gerstner wrote:
One thing that seems to be missing in firewalld is the equivalent of SuSEfirewall2-custom. [...] I have not found a similar way of conditional loading of rules, depending on the ability to load a module. Did I miss something?
well you _can_ load custom rules with firewalld, but without any conditional logic. Like Markos already suggested you might be able to design a script or systemd service that runs after firewalld loads and adds such conditional rules.
Hold my beer.
zypper in xtables-addons-kmp iptables -m condition --condition c1 ... echo -en '#!/bin/sh\necho 1 >/proc/net/nf_condition/c1\n'
/usr/local/sbin/s1 chmod a+x /usr/local/sbin/s1 echo 'install moduleinquestion /usr/local/sbin/s1; modprobe --ignore-install moduleinquestion' >>/etc/modprobe.d/t1.conf
I don't think this would give me peace of mind, as condition is also part of the xtables-addons-kmp package (just like geoip) and just as likely to break in a similar fashion (see bug 1076650). I expect breakage in Tumbleweed, but even in Leap I have experienced several times that modules from xtables-addons-kmp are unavailable because of some goof-up in the weak-updates for instance. This has locked me out of systems once too many, so I don't trust to load any iptables rules depending on them, unless the module actually is inserted successfully. I noticed that yast2-firewall no longer works in non-graphical mode and maybe I'm trying to overengineer things. I have a fairly limited (but stable) set of iptables rules. When SuSEfirewall2 goes away, I could probably also use a couple of rulesets that can be inserted through 'iptables-restore' and script whether or not additional rules should be loaded. -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org