Ifup/ifdown scripts were modified to fix bug# 25951 . They now add ipchains rules when brought up to allow connectivity to name servers. However, this functionality clashes with typical ipchains usage. For instance, if a user modifies the /etc/sysconfig/ipchains file, then does 'service ipchains restart' the chains added for name resolution are flushed & a user can no longer resolve dns names from a nameserver. Also, if a user modifies the current ipchains rules and then does 'service ipchains save' the rules that were only supposed to be set on a per device basis are now set globally.
They should not do that, then. If a user is directly modifying their /etc/sysconfig/ipchains, they should know better than to firewall off their nameserver.
_SHOULD_ is the key word here... This change is not documented in any of the man pages, how-to's, etc. If this is the only way to do it then user should be notified via stdout that their ipchains rules are being modified as well.
We can add a warning to the top of the file that it's not really user modifiable. We really cannot take care of users who don't know what they are doing messing with the firewall config.
As of gnome-lokkit-0.43-6, it writes a warning at the top of the firewall script about what ifup does.