<html>
    <head>
      <base href="https://bugzilla.netfilter.org/" />
    </head>
    <body><table border="1" cellspacing="0" cellpadding="8">
        <tr>
          <th>Bug ID</th>
          <td><a class="bz_bug_link 
          bz_status_NEW "
   title="NEW - please provide a firewall scripts drop-in folder"
   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1078">1078</a>
          </td>
        </tr>

        <tr>
          <th>Summary</th>
          <td>please provide a firewall scripts drop-in folder
          </td>
        </tr>

        <tr>
          <th>Product</th>
          <td>iptables
          </td>
        </tr>

        <tr>
          <th>Version</th>
          <td>unspecified
          </td>
        </tr>

        <tr>
          <th>Hardware</th>
          <td>other
          </td>
        </tr>

        <tr>
          <th>OS</th>
          <td>All
          </td>
        </tr>

        <tr>
          <th>Status</th>
          <td>NEW
          </td>
        </tr>

        <tr>
          <th>Severity</th>
          <td>enhancement
          </td>
        </tr>

        <tr>
          <th>Priority</th>
          <td>P5
          </td>
        </tr>

        <tr>
          <th>Component</th>
          <td>unknown
          </td>
        </tr>

        <tr>
          <th>Assignee</th>
          <td>netfilter-buglog@lists.netfilter.org
          </td>
        </tr>

        <tr>
          <th>Reporter</th>
          <td>adrelanos@riseup.net
          </td>
        </tr></table>
      <p>
        <div>
        <pre>### feature request

Please provide a firewall scripts drop-in folder.

I.e. please provide a folder such as
`/usr/share/netfilter-persistent/plugins.d` where one can drop arbitrary
scripts which will be executed early enough during the boot process in lexical
order when the netfilter-persistent.service is started.

Firewall rules ought to be load before anything might issue any network
traffic. And there also should be a failure condition that fails closed.

Providing this by the netfilter project would provide a sane, secure,
canonical, distribution-agnostic way to get firewall scripts loaded. This is
better than various sysadmins and distributions coming up with custom
mechanisms and getting them wrong since all of this is non-trivial.

### existing similar implementation / alternative

There already is netfilter-persistent which is attempting to do that.

* <a href="http://manpages.org/netfilter-persistent/8">http://manpages.org/netfilter-persistent/8</a>
*
<a href="https://anonscm.debian.org/cgit/collab-maint/iptables-persistent.git/tree/systemd/netfilter-persistent.service">https://anonscm.debian.org/cgit/collab-maint/iptables-persistent.git/tree/systemd/netfilter-persistent.service</a>
*
<a href="https://anonscm.debian.org/cgit/collab-maint/iptables-persistent.git/tree/netfilter-persistent">https://anonscm.debian.org/cgit/collab-maint/iptables-persistent.git/tree/netfilter-persistent</a>
* <a href="https://packages.debian.org/de/jessie/iptables-persistent">https://packages.debian.org/de/jessie/iptables-persistent</a>

<span class="quote">> netfilter-persistent uses a set of plugins to load, flush and save netfilter rules at boot and halt time. Plugins can be written in any suitable language and stored in /usr/share/netfilter-persistent/plugins.d </span >

<span class="quote">> Plugins can be written in any language and are merely executed by netfilter-persistent with a single argument. All plugins are stored in `/usr/share/netfilter-persistent/plugins.d`.</span >

<span class="quote">> Plugins must implement the start flush and save arguments and must not rely on additional arguments for other functionality.
> Plugins must return 0 on success and any other code on failure. </span >

It also has a `FLUSH_ON_STOP` option, which is disabled by default.

Overall I think, that netfilter-persistent thought this through quite well and
came up with a nice mechanism. However, it is not that simple to get everything
right.

netfilter-persistent bug reports:

* netfilter-persistent loads firewall rules too late -
<a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829640">http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829640</a>
* netfilter-persistent systemd service does not lock the network if
netfilter-persistent wrapper is failing at system bootup -
<a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829752">http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829752</a>

Perhaps something could be learned from netfilter-persistent and perhaps it
could be upstreamed to netfilter.

### systemd

systemd developer Lennart Poettering said, that this does not belong into the
systemd project, but perhaps into the netfilter project. Source:
<a href="https://github.com/systemd/systemd/issues/3661">https://github.com/systemd/systemd/issues/3661</a></pre>
        </div>
      </p>
      <hr>
      <span>You are receiving this mail because:</span>
      
      <ul>
          <li>You are watching all bug changes.</li>
      </ul>
    </body>
</html>