service iptables save, systemctl, and unhelpful error messages
"Jóhann B. Guðmundsson"
johannbg at gmail.com
Wed Feb 15 14:45:32 UTC 2012
On 02/15/2012 01:15 PM, Emanuel Rietveld wrote:
> Currently, on Fedora 16, service iptables save prints the following:
>
> # service iptables save
> Redirecting to /bin/systemctl save iptables.service
> Unknown operation save
>
> The service iptables save command is documented in a number of places
> and has been recommended to users for years. See, for example, the
> security guide:
> http://docs.fedoraproject.org/en-US/Fedora/16/html/Security_Guide/sect-Security_Guide-Using_IPTables-Saving_and_Restoring_IPTables_Rules.html
>
> This breaking with the systemctl move is expected, but the unhelpful
> error message is a usability bug. Executing services iptables save
> should print "This is no longer supported. Please execute
> /usr/libexec/iptables.init save" (See:
> https://bugzilla.redhat.com/show_bug.cgi?id=748134 )
>
> From a technical perspective, that would mean the /sbin/service
> wrapper would need to be rewritten check a file for the command that
> is being asked to do, and print different error messages depending on
> the situation.
>
> Of course that makes the currently simple wrapper script more complex,
> but if we want to keep moving forward as fast as Fedora is, we should
> make the extra effort to stay friendly to our users too.
Thomas Woerner has been working on a more user friendly firewall
solution for Fedora so firewall solution is in a bit of state of flux in
Fedora at this point in time and explains why things are as they are.
He was going to push this in at the same time as systemd as in Fedora
F15 but due to various reasons he backed out of it at that time.
( but it is one of F17 features )
Experienced admins dont use service iptables blah anyway ( they use
iptables commands directly ) so it hardly matters to them documentation
should however be updated for those that actually use service iptables
blah to point this out so you should file a DOC bug for it.
Somehow I doubt that any bugs will be fixed for this in either systemd (
since this is not systemd bug ) or iptables ( since Thomas is working on
the new stuff and this does probably not climb high enough in his
priority list anyway he probably would not fix this until all the bits
for that are in place).
So if you or others want this fixed I'm pretty sure either side ( most
notably iptables ) would gladly review and accept patches should they
be submitted.
JBG
1. http://fedoraproject.org/wiki/Features/firewalld-default
2.http://fedoraproject.org/wiki/FirewallD/
More information about the devel
mailing list