Bug 748134

Summary: "service iptables save" functionality unavailable after systemd conversion
Product: [Fedora] Fedora Reporter: Richard Fearn <richardfearn>
Component: iptablesAssignee: Thomas Woerner <twoerner>
Status: CLOSED NEXTRELEASE QA Contact: Fedora Extras Quality Assurance <extras-qa>
Severity: low Docs Contact:
Priority: unspecified    
Version: 16CC: apevec, atkac, azelinka, codehotter, greno, jbrier, mschmidt, psabata, twoerner, urilabob, zing
Target Milestone: ---Keywords: Reopened
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-10-12 14:28:04 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 796663    
Bug Blocks:    

Description Richard Fearn 2011-10-22 10:53:15 UTC
Since iptables was converted to systemd, there is no equivalent of "service iptables save", which saves the rules to /etc/sysconfig/iptables.

I notice this was discussed in #694738. A fedora-iptables-save command was proposed, and submitted as an attachment. But this doesn't seem to be in the iptables package yet.

Irrespective of whether systemctl gets a "save" command, it would be good to have the fedora-iptables-save command as a replacement for what "service iptables save" did, as the old init script used to backup the old rules and do a few other sanity checks (is iptables running, does iptables-save actually produce any output, etc.)

In the meantime, I realise it's possible to just do:

  $ iptables-save > /etc/sysconfig/iptables

Comment 1 Thomas Woerner 2011-10-24 09:35:33 UTC
Please use the old init script, it has been moved to /usr/libexec: "/usr/libexec/iptables.init save"

It is not possible to add the save functionality to the systemd environment.

Comment 2 Richard Fearn 2011-11-12 15:39:29 UTC
> Please use the old init script, it has been moved to /usr/libexec:
> "/usr/libexec/iptables.init save"

Thanks for that! Exactly what I'm looking for.

Comment 3 Thomas Woerner 2011-11-28 09:55:09 UTC
*** Bug 757335 has been marked as a duplicate of this bug. ***

Comment 4 Emanuel Rietveld 2012-02-15 15:58:43 UTC
Thomas, is there any chance to put the below in /etc/init.d/iptables ?

#!/bin/sh

case "$1" in
    panic|save)
        echo "This is no longer supported with systemd. Please use /usr/libexec/iptables.init $1"
        ;;
    *)
        [ -c /dev/stderr ] && echo $"Redirecting to /bin/systemctl $@ iptables.service" >/dev/stderr
        exec /bin/systemctl $@ iptables.service
        ;;
esac

So far as I can see, all this does is provide a more userfriendly error message on panic and save, and behaves the same as it does now otherwise. Forgive me if I am wrong.

Comment 5 Thomas Woerner 2012-02-15 16:38:42 UTC
It is not allowed anymore to have an init script in /etc/init.d in the main package according to the packaging guidelines, please have a look at https://fedoraproject.org/wiki/Packaging:Systemd

This needs to be discussed at best in fedora-devel.

Comment 6 Michal Schmidt 2012-02-16 15:34:02 UTC
(In reply to comment #4)
> Thomas, is there any chance to put the below in /etc/init.d/iptables ?

It may be easier to depend on the systemd redirection already implemented by initscripts:

#!/bin/sh
case "$1" in
    panic|save)
        echo "This is no longer supported with systemd. Please use
/usr/libexec/iptables.init $1"
        exit 1
        ;;
    *)
        # let the usual systemd redirection handle it
        . /etc/rc.d/init.d/functions
        ;;
esac

Comment 7 Michal Schmidt 2012-02-16 15:37:10 UTC
(In reply to comment #6)
> /usr/libexec/iptables.init $1

Commands meant to be run directly by users should not be in libexec.

Could the iptables package perhaps ship a command /usr/bin/iptables-ctl to implement the "save" and "panic" actions? Wouldn't it be something of interest to upstream? It would be nice if all distros supported the functionality in a unified way.

Comment 8 Thomas Woerner 2012-02-16 16:02:06 UTC
/usr/libexec was suggested to be used as the path for the original init script when the migration to systemd was done.

Comment 9 Michal Schmidt 2012-02-16 16:14:36 UTC
For most of the scripts migrating to systemd by the method of simple wrapping of the original script with a unit file, /usr/libexec is the right path, because most scripts only provide the standard actions (start/stop/restart/reload) that are fully encapsulated by systemd. So the user never needs to call the script directly. But if there are additional specialized actions, they should be exposed by a command in the users' PATH.

But nevermind, the libexec issue is only tangential to the topic here and I don't really insist on fixing it.

Comment 10 Thomas Woerner 2012-02-16 17:02:50 UTC
Created a FESCO ticket to ask for an exception to be able to add this small init script.

Comment 11 Alan Pevec 2012-10-04 13:43:31 UTC
(In reply to comment #10)
> Created a FESCO ticket to ask for an exception to be able to add this small
> init script.

For the record this was: https://fedorahosted.org/fesco/ticket/806

Comment 12 Alan Pevec 2012-10-04 14:16:48 UTC
initscripts 9.37.1 supports legacy actions with "service" command:
- service: add support for legacy custom actions packaged in
  /usr/libexec/initscripts/legacy-actions/<script>/<action>

iptables just needs to drop the script into .../iptables/save

Comment 13 Thomas Woerner 2012-10-12 09:52:20 UTC
I am moving the old init scripts to /usr/libexec/iptables and am adding simple scripts to use the old init scripts for the save action.

Comment 14 Thomas Woerner 2012-10-12 14:28:04 UTC
Fixed in rawhide and Fedora 18.

Comment 15 Fedora Update System 2012-10-12 15:00:27 UTC
iptables-1.4.16.2-2.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/iptables-1.4.16.2-2.fc18

Comment 16 Fedora Update System 2012-10-14 15:33:55 UTC
iptables-1.4.16.2-3.fc18 has been submitted as an update for Fedora 18.
https://admin.fedoraproject.org/updates/iptables-1.4.16.2-3.fc18