On 23/01/18 20:26, Arjen de Korte wrote:
One thing that seems to be missing in firewalld is the equivalent of SuSEfirewall2-custom. I use some modules from the xtables-addons-kmp-default package. By nature, these are fragile and tend to break occasionally when the kernel changes. Right now, the xt_geoip module is present, but broken. When including an iptables rule that relies on these modules, this will stop SuSEfirewall2 from loading. This has locked me out several times in the past. So I now use something like the following to prevent this from happening in SuSEfirewall2-custom:
fw_custom_before_port_handling() { if modprobe --quiet xt_geoip; then iptables -A input_ext -p tcp -m tcp --dport 443 -m geoip --source-country NL -j ACCEPT else iptables -A input_ext -p tcp -m tcp --dport 443 -j ACCEPT fi }
I have not found a similar way of conditional loading of rules, depending on the ability to load a module. Did I miss something?
Perhaps you could possibly extend the shipped firewalld service file with an ExecStartPost script to do the exact same thing once the firewalld rules are loaded? -- markos SUSE LINUX GmbH | GF: Felix Imendörffer, Jane Smithard, Graham Norton HRB 21284 (AG Nürnberg) Maxfeldstr. 5, D-90409, Nürnberg -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org