From Bugzilla Helper: User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7) Gecko/20040626 Firefox/0.9.1 Description of problem: This is a feature request. It would be nice to have configuration option to disable "save" command in /etc/init.d/iptables script by using /etc/sysconfig/iptables-config file. Something along the lines of: IPTABLES_DISABLE_SAVE="yes" This would be handy for experienced/advanced system administrator that wish to build /etc/sysconfig/iptables file by hand and not to have to worry that the file might get overwritten by /etc/init.d/iptables script. Other utilities that might overwrite /etc/sysconfig/iptables might use this configuration option too. IPTABLES_DISABLE_SAVE option should override values of IPTABLES_SAVE_* options from iptables-config file. Version-Release number of selected component (if applicable): iptables-1.2.9-2.3.1 How reproducible: Always Steps to Reproduce: 1. /etc/init.d/iptables save Additional info:
If you do not want to overwrite /etc/sysconfig/iptables, then do not start service iptables save. /etc/sysconfig/iptables-config is only useful for the iptables startup-script. Other applications must not modify /etc/sysconfig/iptables, except of system-config-securitylevel. It is not useful to define a variable in /etc/sysconfig/iptables-config which overrides other variables in the same file. Closing as "NOT A BUG"
This was more along the lines of preventing sysadmin of making a typo (or second sysadmin invoking iptables save or system-config-securitylevel on system where it shouldn't be done). Kind of making it more failsafe. iptables save and sysctem-config-securitylevel are destructive, and there's no failsafe in case they were invoked by error/mistake/lack of communication. I saw a value in having it.
system iptable save does this: /etc/init.d/iptables: save() { ... if [ -e $IPTABLES_DATA ]; then cp -f $IPTABLES_DATA $IPTABLES_DATA.save \ && chmod 600 $IPTABLES_DATA.save \ || ret=1 fi ... It is making a copy before stroring new data.