Mailinglist Archive: opensuse-factory (745 mails)

< Previous Next >
Re: [opensuse-factory] firewalld migration (was: Tumbleweed - Review of the week 2018/03)
On 23/01/18 20:26, Arjen de Korte wrote:

One thing that seems to be missing in firewalld is the equivalent of
SuSEfirewall2-custom. I use some modules from the
xtables-addons-kmp-default package. By nature, these are fragile and
tend to break occasionally when the kernel changes. Right now, the
xt_geoip module is present, but broken. When including an iptables rule
that relies on these modules, this will stop SuSEfirewall2 from loading.
This has locked me out several times in the past. So I now use something
like the following to prevent this from happening in SuSEfirewall2-custom:

fw_custom_before_port_handling() {
    if modprobe --quiet xt_geoip; then
        iptables -A input_ext -p tcp -m tcp --dport 443 -m geoip
--source-country NL -j ACCEPT
        iptables -A input_ext -p tcp -m tcp --dport 443 -j ACCEPT

I have not found a similar way of conditional loading of rules,
depending on the ability to load a module. Did I miss something?

Perhaps you could possibly extend the shipped firewalld service file
with an ExecStartPost script to do the exact same thing once the
firewalld rules are loaded?


SUSE LINUX GmbH | GF: Felix Imendörffer, Jane Smithard, Graham Norton
HRB 21284 (AG Nürnberg) Maxfeldstr. 5, D-90409, Nürnberg
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >