Red Hat Bugzilla – Bug 129346
Option to disable "save" command in iptables init.d script
Last modified: 2007-11-30 17:10:47 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7)
Description of problem:
This is a feature request.
It would be nice to have configuration option to disable "save"
command in /etc/init.d/iptables script by using
/etc/sysconfig/iptables-config file. Something along the lines of:
This would be handy for experienced/advanced system administrator that
wish to build /etc/sysconfig/iptables file by hand and not to have to
worry that the file might get overwritten by /etc/init.d/iptables
script. Other utilities that might overwrite /etc/sysconfig/iptables
might use this configuration option too. IPTABLES_DISABLE_SAVE option
should override values of IPTABLES_SAVE_* options from iptables-config
Version-Release number of selected component (if applicable):
Steps to Reproduce:
1. /etc/init.d/iptables save
If you do not want to overwrite /etc/sysconfig/iptables, then do not
start service iptables save. /etc/sysconfig/iptables-config is only
useful for the iptables startup-script.
Other applications must not modify /etc/sysconfig/iptables, except of
It is not useful to define a variable in
/etc/sysconfig/iptables-config which overrides other variables in the
Closing as "NOT A BUG"
This was more along the lines of preventing sysadmin of making a typo
(or second sysadmin invoking iptables save or
system-config-securitylevel on system where it shouldn't be done).
Kind of making it more failsafe. iptables save and
sysctem-config-securitylevel are destructive, and there's no failsafe
in case they were invoked by error/mistake/lack of communication. I
saw a value in having it.
system iptable save does this:
if [ -e $IPTABLES_DATA ]; then
cp -f $IPTABLES_DATA $IPTABLES_DATA.save \
&& chmod 600 $IPTABLES_DATA.save \
It is making a copy before stroring new data.