Firewall settings unworkable
R P Herrold
herrold at owlriver.com
Wed Oct 6 20:26:59 UTC 2010
On Wed, 6 Oct 2010, Richard W.M. Jones wrote:
> Seems quite complex. What's wrong with a directory:
>
> /etc/iptables.d/
>
> where RPMs like libvirt just drop the required additional rules (in a
> separate chain if you like) and restart the iptables service? It's
> low-tech but simple and it's all that libvirt needs.
As iptables are 'first match wins', there is a need to be
willing to commit to documenting a SNN type mechanism, and to
maintain it long term as well
Considering the upstart and related 'dependency driven'
initscript mechanisms are all the vogue in some quarters these
days as well, integrating this as devices come and go, and
those devices optionally carry with them new network
connectivity patterns, appearing and disappearing, it is not
clear this is very workable
-- Russ herrold
More information about the devel
mailing list