Bug 175947 - /etc/init.d/iptables should read two rules files
/etc/init.d/iptables should read two rules files
Status: CLOSED NOTABUG
Product: Fedora
Classification: Fedora
Component: iptables (Show other bugs)
rawhide
All Linux
medium Severity medium
: ---
: ---
Assigned To: Thomas Woerner
Ben Levenson
: FutureFeature
Depends On:
Blocks: 138143 177950
  Show dependency treegraph
 
Reported: 2005-12-16 12:04 EST by Chris Lumens
Modified: 2007-11-30 17:11 EST (History)
1 user (show)

See Also:
Fixed In Version:
Doc Type: Enhancement
Doc Text:
Story Points: ---
Clone Of:
Environment:
Last Closed: 2006-01-27 09:04:40 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
CRM:
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---


Attachments (Terms of Use)

  None (edit)
Description Chris Lumens 2005-12-16 12:04:54 EST
From Bugzilla Helper:
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.7.8) Gecko/20050511 Firefox/1.0.4

Description of problem:
system-config-securitylevel uses /etc/sysconfig/iptables to write its rules to.  This has the unfortunate consequence of destroying whatever was there before and not allowing people to make their own modifications to those rules.  I'd like s-c-sl to play nicer with the system.

I think the easiest way to do this would be to modify /etc/init.d/iptables to read in two config files.  The first file could be the one that s-c-sl writes out and would come with a big giant comment at the top saying to add changes to another file.  The second one could be for people to add their own modifications to and would be read in after the s-c-sl/default file.

See bug 138143 for what I'm talking about.

Thoughts?

Version-Release number of selected component (if applicable):


How reproducible:
Always

Steps to Reproduce:
1. Make your own changes to /etc/sysconfig/iptables.
2. Fire up s-c-securitylevel and use it to make some modifications.
3. Observe that your changes are gone.
  

Additional info:
Comment 1 Thomas Woerner 2006-01-24 11:14:27 EST
In my opinion it is not a good idea to use more than one config file for
iptables, because there can be strange combinations this way, that would be very
difficult to detect or explain to users.

system-config-securitylevel should get enhanced to be able to parse existing
/etc/sysconfig/iptables files.
Comment 2 Maxim Britov 2006-01-27 08:21:27 EST
I use simple script for iptables. And several files like init.d/
10-raw
20-nat
30-input
...
and use file for sed substitution like: s/$extif/eth0/
Script:
#!/bin/ash
ipt_home=/etc/ipt-script

rm $ipt_home/ipt-final
touch $ipt_home/ipt-final

for table_file in `find $ipt_home -regex ".*[0-9][0-9].*$"|sort` ;
  do sed -f $ipt_home/ipt-sed $table_file >>$ipt_home/ipt-final ;
done

cat $ipt_home/ipt-final |/sbin/iptables-restore
Comment 3 Thomas Woerner 2006-01-27 09:04:40 EST
This is no iptables problem. Closing as "NOT A BUG".

Note You need to log in before you can comment on or make changes to this bug.