On 10/01/2010 10:36 PM, Richard W.M. Jones wrote: > On Fri, Oct 01, 2010 at 02:00:46PM +0100, Tim Waugh wrote: >> In system-config-printer I try to get it to modify the firewall to allow >> in the various network query responses that we expect, [...] > > I should note, although it's not your fault, that this breaks > libvirt networking. > > libvirt needs to add its own firewall rules too, and restarting the > firewall breaks these rules until you restart the libvirt network and > all your VMs. > > The root problem here is that our firewall rules aren't composable. > As you can tell by the bug #, this issue has been around for quite a > long time ... > > https://bugzilla.redhat.com/show_bug.cgi?id=227011 I'm wondering what the actual requirements are in order to make it possible for a service to add rules to the firewall. The discussion in the bug mixes general requirements for such a feature with current iptables limitations which makes it difficult to understand the problem fully. In a first step it would probably be best to create a layer on top of iptables that manages the addition and removal of rules that can be independently configured. That way you don't have to find quirky hacks for iptables. "service iptables save" for would then call the save function of that management layer which in turn could save the iptables rules to a temporary file, filter out the service rules and then save the standard/global/default rules in /etc/sysconfig/iptables and the service rules it filterd out into /etc/sysconfig/iptables.d/<service>. When loading the whole thing is executed in reverse. Once workable semantics are found for such a management layer the second step could be to move these features into iptables itself if possible. Regards, Dennis -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel