Mailinglist Archive: opensuse-bugs (12871 mails)

< Previous Next >
[Bug 462482] iptables-batch: consider wrapper for iptables-restore instead
  • From: bugzilla_noreply@xxxxxxxxxx
  • Date: Thu, 8 Jan 2009 01:05:40 -0700 (MST)
  • Message-id: <20090108080540.6BDEC245390@xxxxxxxxxxxxxxxxxxxxxx>

User lnussel@xxxxxxxxxx added comment

--- Comment #5 from Ludwig Nussel <lnussel@xxxxxxxxxx> 2009-01-08 01:05:38 MST
(In reply to comment #4 from Jan Engelhardt)
I think that, if there is a reason iptables-restore fails, then the manual
commands will also fail at some point and leave the ruleset in a state which
may lock out the user, at which point iptables-restore seems to be the better
solution which does an atomic restore --- if this atomic restore fails, the
previous ruleset will be used, which is either
1. empty chains all with policy of ACCEPT.
2. the minimal ruleset installed by SuSEfirewall2_init (the first stage thing)
How's that sound?

Typically iptables doesn't fail on the crucial rules but rather on individual
ones where users made a mistake in /etc/sysconfig/SuSEfirewall2. Such as typos
in IP addresses or port numbers or using features that are only available for
IPv4 and then some ip6tables call fails (like e.g. using ipt_recent). So it's
ok to deploy all working rules and only omit the faulty ones.

Configure bugmail:
------- You are receiving this mail because: -------
You are on the CC list for the bug.

< Previous Next >