Victor Stinner wrote:
When I setup the firewall rules, I would like to be able to "rollback" to the
previous valid state. I'm using this pseudo-code:
iptables-save > previous_rules
iptables-restore < new_rules
on error:
iptables-restore < previous_rules
First problem is that iptables-save doesn't load the needed kernel modules to
get the table list. Second problem is that iptables-save (with no argument)
exit with code 0 (success) even if /proc/net/ip_tables_names is empty.
In my pseudo-code: if previous_rule is empty, "iptables-restore <
previous_rules" doesn't restore the previous status (iptables-restore does
nothing with empty input). I have to check iptables-save exit code *and* that
previous_rules is not empty.
If the kernel module ip_tables is loaded, /proc/net/ip_table_names exists but
is empty. The module iptable_filter is needed to
fill /proc/net/ip_table_names.
Same problems with ip6tables-save with /proc/net/ip6_tables_names, and modules
ip6_tables and ip6table_filter.
Its actually ip_tables and ip6_tables that are needed to create this
file.
Attached patch change iptables-save and ip6tables-save behaviour: if there is
no table, print the message:
iptables-save v1.4.1: /proc/net/ip_tables_names is empty
and the exit code is 1 (error).
The message may be changed for a better message :-)
I don't think we should treat this as an error, but simply output
nothing. Regarding rollback, iptables-save/restore can't know about
not-loaded tables, so what you should do is either load the table
modules manually or use the "-t" parameter to iptables-save.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
