On 10/06/2010 08:31 PM, Richard W.M. Jones wrote: > Seems quite complex. What's wrong with a directory: > > /etc/iptables.d/ > > where RPMs like libvirt just drop the required additional rules (in a > separate chain if you like) and restart the iptables service? It's > low-tech but simple and it's all that libvirt needs. If you do an "/etc/init.d/iptables save" and then reboot the machine you will probably end up with duplicate rules because the libvirt rules are now created from /etc/sysconfig/iptables and then again from the respective iptables.d file. That's why I mentioned the two layer approach. You basically need a layer that loads the basic rules and then applies the per-subsystem ones and that is able to extract the per-subsystem rules again on save. This could be relatively easy or very hard depending the subset of rules you want to support for the subsystems. Thomas Woerners idea looks like the best approach to this. I was aiming for a more iterative approach using scripts instead of a daemon but if Thomas has fleshed this out already and some code working then more power to him :) Regards, Dennis -- devel mailing list devel@xxxxxxxxxxxxxxxxxxxxxxx https://admin.fedoraproject.org/mailman/listinfo/devel
