[opensuse-factory] Time to rehash SuSEFirewall2
Hello Folks, So, just offering my opinion on what I personally feel is an "issue" for OpenSUSE with regards to its firewall. Currently, SuSEFirewall2 invokes ip(6)tables each time it needs to add a rule - this goes completely against what is advocated by the Netfilter developers as it is not atomic and is costly in terms of performance; iptables-restore on the other hand, is atomic and restores everything in one fell swoop. Additionally, whilst SuSEFirewall2 does provide for allowing you to configure your own rules, it's not particularly robust, nor supported. Thus, my suggestion is as follows: Modify SuSEFirewall2 so that rule building happens *once* and from that point, ip(6)tables-save and ip(6)tables-restore is all that gets used. SuSEFirewall2 need only do a rebuild if the rules are modified. Doing it this way carries the benefit that initialisation of Netfilter at bootup will be far more efficient. It also has the benefit that any advanced user is free to customise their iptables ruleset as they see fit, currently, the only other way I have found to do that is dragging across iptables scripts from Enterprise Linux and disabling SuSEFirewall2. Regards, Oliver -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Olipro wrote:
Currently, SuSEFirewall2 invokes ip(6)tables each time it needs to add a rule
No it doesn't since 2005. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Monday 10 Oct 2011 10:55:07 Ludwig Nussel wrote:
Olipro wrote:
Currently, SuSEFirewall2 invokes ip(6)tables each time it needs to add a rule
No it doesn't since 2005. So it builds a ruleset and uses iptables-restore?
cu Ludwig -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Olipro wrote:
On Monday 10 Oct 2011 10:55:07 Ludwig Nussel wrote:
Olipro wrote:
Currently, SuSEFirewall2 invokes ip(6)tables each time it needs to add a rule
No it doesn't since 2005. So it builds a ruleset and uses iptables-restore?
No but something similar. Look for USE_IPTABLES_BATCH. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
On Monday 10 Oct 2011 15:52:34 Ludwig Nussel wrote:
Olipro wrote:
On Monday 10 Oct 2011 10:55:07 Ludwig Nussel wrote:
Olipro wrote:
Currently, SuSEFirewall2 invokes ip(6)tables each time it needs to add a rule
No it doesn't since 2005.
So it builds a ruleset and uses iptables-restore?
No but something similar. Look for USE_IPTABLES_BATCH. And that differs from calling the iptables commandline multiple times... how?
cu Ludwig -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
Olipro wrote:
On Monday 10 Oct 2011 15:52:34 Ludwig Nussel wrote:
Olipro wrote:
On Monday 10 Oct 2011 10:55:07 Ludwig Nussel wrote:
Olipro wrote:
Currently, SuSEFirewall2 invokes ip(6)tables each time it needs to add a rule
No it doesn't since 2005.
So it builds a ruleset and uses iptables-restore?
No but something similar. Look for USE_IPTABLES_BATCH. And that differs from calling the iptables commandline multiple times... how?
The same way iptables-restore differs from that. UTSL. cu Ludwig -- (o_ Ludwig Nussel //\ V_/_ http://www.suse.de/ SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg) -- To unsubscribe, e-mail: opensuse-factory+unsubscribe@opensuse.org To contact the owner, e-mail: opensuse-factory+owner@opensuse.org
participants (2)
-
Ludwig Nussel
-
Olipro