Bug 175947

Summary: /etc/init.d/iptables should read two rules files
Product: [Fedora] Fedora Reporter: Chris Lumens <clumens>
Component: iptablesAssignee: Thomas Woerner <twoerner>
Status: CLOSED NOTABUG QA Contact: Ben Levenson <benl>
Severity: medium Docs Contact:
Priority: medium    
Version: rawhideCC: maxim.britov
Target Milestone: ---Keywords: FutureFeature
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2006-01-27 14:04:40 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On:    
Bug Blocks: 138143, 177950    

Description Chris Lumens 2005-12-16 17:04:54 UTC 
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

Description of problem:
system-config-securitylevel uses /etc/sysconfig/iptables to write its rules to.  This has the unfortunate consequence of destroying whatever was there before and not allowing people to make their own modifications to those rules.  I'd like s-c-sl to play nicer with the system.

I think the easiest way to do this would be to modify /etc/init.d/iptables to read in two config files.  The first file could be the one that s-c-sl writes out and would come with a big giant comment at the top saying to add changes to another file.  The second one could be for people to add their own modifications to and would be read in after the s-c-sl/default file.

See bug 138143 for what I'm talking about.

Thoughts?

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Make your own changes to /etc/sysconfig/iptables.
2. Fire up s-c-securitylevel and use it to make some modifications.
3. Observe that your changes are gone.
  

Additional info:
Comment 1 Thomas Woerner 2006-01-24 16:14:27 UTC 
In my opinion it is not a good idea to use more than one config file for
iptables, because there can be strange combinations this way, that would be very
difficult to detect or explain to users.

system-config-securitylevel should get enhanced to be able to parse existing
/etc/sysconfig/iptables files.
Comment 2 Maxim Britov 2006-01-27 13:21:27 UTC 
I use simple script for iptables. And several files like init.d/
10-raw
20-nat
30-input
...
and use file for sed substitution like: s/$extif/eth0/
Script:
#!/bin/ash
ipt_home=/etc/ipt-script

rm $ipt_home/ipt-final
touch $ipt_home/ipt-final

for table_file in `find $ipt_home -regex ".*[0-9][0-9].*$"|sort` ;
  do sed -f $ipt_home/ipt-sed $table_file >>$ipt_home/ipt-final ;
done

cat $ipt_home/ipt-final |/sbin/iptables-restore
Comment 3 Thomas Woerner 2006-01-27 14:04:40 UTC 
This is no iptables problem. Closing as "NOT A BUG".