Mailinglist Archive: opensuse-factory (745 mails)

< Previous Next >
Re: [opensuse-factory] firewalld migration (was: Tumbleweed - Review of the week 2018/03)
Citeren Jan Engelhardt <jengelh@xxxxxxx>:

On Thursday 2018-01-25 15:54, Matthias Gerstner wrote:

One thing that seems to be missing in firewalld is the equivalent of
SuSEfirewall2-custom.
[...]
I have not found a similar way of conditional loading of rules, depending on
the ability to load a module. Did I miss something?

well you _can_ load custom rules with firewalld, but without any
conditional logic.
Like Markos already suggested you might be able to design a script or
systemd service that runs after firewalld loads and adds such
conditional rules.

Hold my beer.

zypper in xtables-addons-kmp
iptables -m condition --condition c1 ...
echo -en '#!/bin/sh\necho 1 >/proc/net/nf_condition/c1\n' >/usr/local/sbin/s1
chmod a+x /usr/local/sbin/s1
echo 'install moduleinquestion /usr/local/sbin/s1; modprobe --ignore-install moduleinquestion' >>/etc/modprobe.d/t1.conf

I don't think this would give me peace of mind, as condition is also part of the xtables-addons-kmp package (just like geoip) and just as likely to break in a similar fashion (see bug 1076650).

I expect breakage in Tumbleweed, but even in Leap I have experienced several times that modules from xtables-addons-kmp are unavailable because of some goof-up in the weak-updates for instance. This has locked me out of systems once too many, so I don't trust to load any iptables rules depending on them, unless the module actually is inserted successfully.

I noticed that yast2-firewall no longer works in non-graphical mode and maybe I'm trying to overengineer things. I have a fairly limited (but stable) set of iptables rules. When SuSEfirewall2 goes away, I could probably also use a couple of rulesets that can be inserted through 'iptables-restore' and script whether or not additional rules should be loaded.

--
To unsubscribe, e-mail: opensuse-factory+unsubscribe@xxxxxxxxxxxx
To contact the owner, e-mail: opensuse-factory+owner@xxxxxxxxxxxx

< Previous Next >