Bug 129346 - Option to disable "save" command in iptables init.d script
Summary: Option to disable "save" command in iptables init.d script
Alias: None
Product: Fedora
Classification: Fedora
Component: iptables
Version: 2
Hardware: All
OS: Linux
Target Milestone: ---
Assignee: Thomas Woerner
QA Contact: Ben Levenson
Keywords: FutureFeature
Depends On:
TreeView+ depends on / blocked
Reported: 2004-08-06 18:50 UTC by Aleksandar Milivojevic
Modified: 2007-11-30 22:10 UTC (History)
0 users

Clone Of:
Last Closed: 2004-08-09 15:03:21 UTC

Attachments (Terms of Use)

Description Aleksandar Milivojevic 2004-08-06 18:50:36 UTC
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7)
Gecko/20040626 Firefox/0.9.1

Description of problem:
This is a feature request.

It would be nice to have configuration option to disable "save"
command in /etc/init.d/iptables script by using
/etc/sysconfig/iptables-config file.  Something along the lines of:


This would be handy for experienced/advanced system administrator that
wish to build /etc/sysconfig/iptables file by hand and not to have to
worry that the file might get overwritten by /etc/init.d/iptables
script.  Other utilities that might overwrite /etc/sysconfig/iptables
might use this configuration option too.  IPTABLES_DISABLE_SAVE option
should override values of IPTABLES_SAVE_* options from iptables-config

Version-Release number of selected component (if applicable):

How reproducible:

Steps to Reproduce:
1. /etc/init.d/iptables save

Additional info:

Comment 1 Thomas Woerner 2004-08-09 15:03:21 UTC
If you do not want to overwrite /etc/sysconfig/iptables, then do not
start service iptables save. /etc/sysconfig/iptables-config is only
useful for the iptables startup-script.

Other applications must not modify /etc/sysconfig/iptables, except of

It is not useful to define a variable in
/etc/sysconfig/iptables-config which overrides other variables in the
same file.

Closing as "NOT A BUG"

Comment 2 Aleksandar Milivojevic 2004-08-09 16:06:15 UTC
This was more along the lines of preventing sysadmin of making a typo
(or second sysadmin invoking iptables save or
system-config-securitylevel on system where it shouldn't be done). 
Kind of making it more failsafe.  iptables save and
sysctem-config-securitylevel are destructive, and there's no failsafe
in case they were invoked by error/mistake/lack of communication.  I
saw a value in having it.

Comment 3 Thomas Woerner 2004-08-09 16:18:45 UTC
system iptable save does this:

save() {
        if [ -e $IPTABLES_DATA ]; then
            cp -f $IPTABLES_DATA $IPTABLES_DATA.save \
                && chmod 600 $IPTABLES_DATA.save \
                || ret=1

It is making a copy before stroring new data.

Note You need to log in before you can comment on or make changes to this bug.