Firewall settings unworkable
Dennis Jacobfeuerborn
dennisml at conversis.de
Wed Oct 6 19:38:50 UTC 2010
On 10/06/2010 08:31 PM, Richard W.M. Jones wrote:
> Seems quite complex. What's wrong with a directory:
>
> /etc/iptables.d/
>
> where RPMs like libvirt just drop the required additional rules (in a
> separate chain if you like) and restart the iptables service? It's
> low-tech but simple and it's all that libvirt needs.
If you do an "/etc/init.d/iptables save" and then reboot the machine you
will probably end up with duplicate rules because the libvirt rules are now
created from /etc/sysconfig/iptables and then again from the respective
iptables.d file.
That's why I mentioned the two layer approach. You basically need a layer
that loads the basic rules and then applies the per-subsystem ones and that
is able to extract the per-subsystem rules again on save. This could be
relatively easy or very hard depending the subset of rules you want to
support for the subsystems.
Thomas Woerners idea looks like the best approach to this. I was aiming for
a more iterative approach using scripts instead of a daemon but if Thomas
has fleshed this out already and some code working then more power to him :)
Regards,
Dennis
More information about the devel
mailing list