Bug 129346 - Option to disable "save" command in iptables init.d script
Summary: Option to disable "save" command in iptables init.d script
Status: CLOSED NOTABUG
Alias: None
Product: Fedora
Classification: Fedora
Component: iptables   
(Show other bugs)
Version: 2
Hardware: All Linux
medium
medium
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Ben Levenson
URL:
Whiteboard:
Keywords: FutureFeature
Depends On:
Blocks:
TreeView+ depends on / blocked
 
Reported: 2004-08-06 18:50 UTC by Aleksandar Milivojevic
Modified: 2007-11-30 22:10 UTC (History)
0 users

Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2004-08-09 15:03:21 UTC
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

Description Aleksandar Milivojevic 2004-08-06 18:50:36 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7)
Gecko/20040626 Firefox/0.9.1

Description of problem:
This is a feature request.

It would be nice to have configuration option to disable "save"
command in /etc/init.d/iptables script by using
/etc/sysconfig/iptables-config file.  Something along the lines of:

IPTABLES_DISABLE_SAVE="yes"

This would be handy for experienced/advanced system administrator that
wish to build /etc/sysconfig/iptables file by hand and not to have to
worry that the file might get overwritten by /etc/init.d/iptables
script.  Other utilities that might overwrite /etc/sysconfig/iptables
might use this configuration option too.  IPTABLES_DISABLE_SAVE option
should override values of IPTABLES_SAVE_* options from iptables-config
file.

Version-Release number of selected component (if applicable):
iptables-1.2.9-2.3.1

How reproducible:
Always

Steps to Reproduce:
1. /etc/init.d/iptables save
    

Additional info:

Comment 1 Thomas Woerner 2004-08-09 15:03:21 UTC
If you do not want to overwrite /etc/sysconfig/iptables, then do not
start service iptables save. /etc/sysconfig/iptables-config is only
useful for the iptables startup-script.

Other applications must not modify /etc/sysconfig/iptables, except of
system-config-securitylevel.

It is not useful to define a variable in
/etc/sysconfig/iptables-config which overrides other variables in the
same file.

Closing as "NOT A BUG"


Comment 2 Aleksandar Milivojevic 2004-08-09 16:06:15 UTC
This was more along the lines of preventing sysadmin of making a typo
(or second sysadmin invoking iptables save or
system-config-securitylevel on system where it shouldn't be done). 
Kind of making it more failsafe.  iptables save and
sysctem-config-securitylevel are destructive, and there's no failsafe
in case they were invoked by error/mistake/lack of communication.  I
saw a value in having it.

Comment 3 Thomas Woerner 2004-08-09 16:18:45 UTC
system iptable save does this:

/etc/init.d/iptables:
save() {
        ...
        if [ -e $IPTABLES_DATA ]; then
            cp -f $IPTABLES_DATA $IPTABLES_DATA.save \
                && chmod 600 $IPTABLES_DATA.save \
                || ret=1
        fi
        ...

It is making a copy before stroring new data.



Note You need to log in before you can comment on or make changes to this bug.