[Bug 580] iptables-restore and iptables-save lack comparison of a saved ruleset against the currently deployed rules

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Mon Jun 24 20:32:24 CEST 2013


https://bugzilla.netfilter.org/show_bug.cgi?id=580

--- Comment #6 from Jan Engelhardt <jengelh at medozas.de> 2013-06-24 20:32:22 CEST ---
>Unclear how you can say with certainty that this is impossible

Right now, tables are output in permutations that are considered to be random.
(Sure there is module load order, but that is not documented, nor is it
actually a usable assumption for any script writer. The module load order
resonates on save-restore cycles.) Because a sorted permutation lies within the
set of possible permutations, scripts expecting the random order do already
supported the sorted order.

Why should iptables do this? Because anything users have to construct above it
is going to be more error-prone, because prominent system utilities (ls, top)
also offer to do it, for the same reason and for user convenience. Consider the
opposite point: would you be thrilled if all the rules were in random order
too? (Assuming of course they be prefixed with a rule number to disambiguate
between them.)

-- 
Configure bugmail: https://bugzilla.netfilter.org/userprefs.cgi?tab=email
------- You are receiving this mail because: -------
You are watching all bug changes.



More information about the netfilter-buglog mailing list