Firewall settings unworkable
dennisml at conversis.de
Sat Oct 2 00:17:49 UTC 2010
On 10/01/2010 10:36 PM, Richard W.M. Jones wrote:
> On Fri, Oct 01, 2010 at 02:00:46PM +0100, Tim Waugh wrote:
>> In system-config-printer I try to get it to modify the firewall to allow
>> in the various network query responses that we expect, [...]
> I should note, although it's not your fault, that this breaks
> libvirt networking.
> libvirt needs to add its own firewall rules too, and restarting the
> firewall breaks these rules until you restart the libvirt network and
> all your VMs.
> The root problem here is that our firewall rules aren't composable.
> As you can tell by the bug #, this issue has been around for quite a
> long time ...
I'm wondering what the actual requirements are in order to make it possible
for a service to add rules to the firewall. The discussion in the bug mixes
general requirements for such a feature with current iptables limitations
which makes it difficult to understand the problem fully.
In a first step it would probably be best to create a layer on top of
iptables that manages the addition and removal of rules that can be
independently configured. That way you don't have to find quirky hacks for
iptables. "service iptables save" for would then call the save function of
that management layer which in turn could save the iptables rules to a
temporary file, filter out the service rules and then save the
standard/global/default rules in /etc/sysconfig/iptables and the service
rules it filterd out into /etc/sysconfig/iptables.d/<service>. When loading
the whole thing is executed in reverse.
Once workable semantics are found for such a management layer the second
step could be to move these features into iptables itself if possible.
More information about the devel