Stephen Hemminger wrote:
Is there any strong reason why checking the status of iptables is restricted? Vyatta makes a distribution for routers. In our case, we use a non-root account for operator commands, and some of the commands are about querying iptables status. It seems to be less risky to just fix the kernel to allow non-root user to query rules than the current script that uses sudo. Another alternative would be building a special restricted command that could be setuid root, but just changing the kernel seems easiest.
I always thought of it as a privacy thing, similar to restricting /proc/net/nf_conntrack. But since iptables rules usually don't allow you to determine active connections just from the packet counters that might be overkill. So I don't see any real harm in allowing users to list the ruleset. I'll queue this patch for 2.6.26 if nobody has any objections. - To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html