Since iptables was converted to systemd, there is no equivalent of "service iptables save", which saves the rules to /etc/sysconfig/iptables.
I notice this was discussed in #694738. A fedora-iptables-save command was proposed, and submitted as an attachment. But this doesn't seem to be in the iptables package yet.
Irrespective of whether systemctl gets a "save" command, it would be good to have the fedora-iptables-save command as a replacement for what "service iptables save" did, as the old init script used to backup the old rules and do a few other sanity checks (is iptables running, does iptables-save actually produce any output, etc.)
In the meantime, I realise it's possible to just do:
$ iptables-save > /etc/sysconfig/iptables
Please use the old init script, it has been moved to /usr/libexec: "/usr/libexec/iptables.init save"
It is not possible to add the save functionality to the systemd environment.
> Please use the old init script, it has been moved to /usr/libexec:
> "/usr/libexec/iptables.init save"
Thanks for that! Exactly what I'm looking for.
*** Bug 757335 has been marked as a duplicate of this bug. ***
Thomas, is there any chance to put the below in /etc/init.d/iptables ?
case "$1" in
echo "This is no longer supported with systemd. Please use /usr/libexec/iptables.init $1"
[ -c /dev/stderr ] && echo $"Redirecting to /bin/systemctl $@ iptables.service" >/dev/stderr
exec /bin/systemctl $@ iptables.service
So far as I can see, all this does is provide a more userfriendly error message on panic and save, and behaves the same as it does now otherwise. Forgive me if I am wrong.
It is not allowed anymore to have an init script in /etc/init.d in the main package according to the packaging guidelines, please have a look at https://fedoraproject.org/wiki/Packaging:Systemd
This needs to be discussed at best in fedora-devel.
(In reply to comment #4)
> Thomas, is there any chance to put the below in /etc/init.d/iptables ?
It may be easier to depend on the systemd redirection already implemented by initscripts:
case "$1" in
echo "This is no longer supported with systemd. Please use
# let the usual systemd redirection handle it
(In reply to comment #6)
> /usr/libexec/iptables.init $1
Commands meant to be run directly by users should not be in libexec.
Could the iptables package perhaps ship a command /usr/bin/iptables-ctl to implement the "save" and "panic" actions? Wouldn't it be something of interest to upstream? It would be nice if all distros supported the functionality in a unified way.
/usr/libexec was suggested to be used as the path for the original init script when the migration to systemd was done.
For most of the scripts migrating to systemd by the method of simple wrapping of the original script with a unit file, /usr/libexec is the right path, because most scripts only provide the standard actions (start/stop/restart/reload) that are fully encapsulated by systemd. So the user never needs to call the script directly. But if there are additional specialized actions, they should be exposed by a command in the users' PATH.
But nevermind, the libexec issue is only tangential to the topic here and I don't really insist on fixing it.
Created a FESCO ticket to ask for an exception to be able to add this small init script.
(In reply to comment #10)
> Created a FESCO ticket to ask for an exception to be able to add this small
> init script.
For the record this was: https://fedorahosted.org/fesco/ticket/806
initscripts 9.37.1 supports legacy actions with "service" command:
- service: add support for legacy custom actions packaged in
iptables just needs to drop the script into .../iptables/save
I am moving the old init scripts to /usr/libexec/iptables and am adding simple scripts to use the old init scripts for the save action.
Fixed in rawhide and Fedora 18.
iptables-22.214.171.124-2.fc18 has been submitted as an update for Fedora 18.
iptables-126.96.36.199-3.fc18 has been submitted as an update for Fedora 18.