Re: [RFC] iptables module

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Krzysztof A. Adamski wrote:

On Wed, 26 Mar 2008 08:56:21 -0400
Michael DeHaan <mdehaan@xxxxxxxxxx> wrote:

    -- Persistance (you mentioned this)
    -- Support "save" to write stuff to /etc/sysconfig/iptables

How this two should be different? I would like to be as much distro
independent as it's possible (. I would like to call
"/sbin/iptables-save" and store the result in appropriate place. This
will be different in distros other than Fedora so i would like it to be
configurable. What is the best (standard) way of handling this?
Save versus the service call sounds fine to me. I very much agree with the cause of cross-distro usage.
Is /etc/sysconfig/iptables standard across distros? If not, you could possibly check to see 
if the likely suspects exist and just use the ones you find.


    -- Possibly allow functions to take lists as well, so if you
wanted to add 10 different rules, it wouldn't be 10 calls.

Could you give me an example of module doing that so i can see what
exactly you mean?


I was asking whether something like the following might make sense...

iptables.reject_from([
"192.168.0.10", ...
])
Since the iptables stuff already accepts CIDR notation I'm not sure that's a huge concern or not, and the iptables command 
is already pretty fast.

I definitely like the option of being able to do REJECT instead of
DROP, since that plays nicer with external error
handling.

This is easy. I could just clone "drop*" methods and change their names
to "reject*", like this:
  func '*' call iptables reject_from 192.168.0.10
  func '*' call iptables.port reject_to 80 192.168.0.10


Sounds good...


Feel free to hack on it some more if you like, I'll commit it
whenever you're ready -- or we can go ahead and check
this version in now too.

I would like to get some comments on the code and API of this module.
Just quick look, maybe something could be done simpler/better?
Those comments above were pretty much that, it looks fine to me and we can expand it later 
as usage/testing from others requires. I didn't see anything that stood out.

Thanks!

--Michael



_______________________________________________
Func-list mailing list
Func-list@xxxxxxxxxx
https://www.redhat.com/mailman/listinfo/func-list
[Index of Archives]     [Fedora Users]     [Linux Networking]     [Fedora Legacy List]     [Fedora Desktop]     [Fedora SELinux]     [Big List of Linux Books]     [Yosemite News]     [KDE Users]

  Powered by Linux