<html>

    <head>

      <base href="https://bugzilla.netfilter.org/" />

    </head>

    <body><table border="1" cellspacing="0" cellpadding="8">

        <tr>

          <th>Bug ID</th>

          <td><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - please provide a firewall scripts drop-in folder"

   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1078">1078</a>

          </td>

        </tr>

        <tr>

          <th>Summary</th>

          <td>please provide a firewall scripts drop-in folder

          </td>

        </tr>

        <tr>

          <th>Product</th>

          <td>iptables

          </td>

        </tr>

        <tr>

          <th>Version</th>

          <td>unspecified

          </td>

        </tr>

        <tr>

          <th>Hardware</th>

          <td>other

          </td>

        </tr>

        <tr>

          <th>OS</th>

          <td>All

          </td>

        </tr>

        <tr>

          <th>Status</th>

          <td>NEW

          </td>

        </tr>

        <tr>

          <th>Severity</th>

          <td>enhancement

          </td>

        </tr>

        <tr>

          <th>Priority</th>

          <td>P5

          </td>

        </tr>

        <tr>

          <th>Component</th>

          <td>unknown

          </td>

        </tr>

        <tr>

          <th>Assignee</th>

          <td>netfilter-buglog@lists.netfilter.org

          </td>

        </tr>

        <tr>

          <th>Reporter</th>

          <td>adrelanos@riseup.net

          </td>

        </tr></table>

      <p>

        <div>

        <pre>### feature request

Please provide a firewall scripts drop-in folder.

I.e. please provide a folder such as

`/usr/share/netfilter-persistent/plugins.d` where one can drop arbitrary

scripts which will be executed early enough during the boot process in lexical

order when the netfilter-persistent.service is started.

Firewall rules ought to be load before anything might issue any network

traffic. And there also should be a failure condition that fails closed.

Providing this by the netfilter project would provide a sane, secure,

canonical, distribution-agnostic way to get firewall scripts loaded. This is

better than various sysadmins and distributions coming up with custom

mechanisms and getting them wrong since all of this is non-trivial.

### existing similar implementation / alternative

There already is netfilter-persistent which is attempting to do that.

* <a href="http://manpages.org/netfilter-persistent/8">http://manpages.org/netfilter-persistent/8</a>

*

<a href="https://anonscm.debian.org/cgit/collab-maint/iptables-persistent.git/tree/systemd/netfilter-persistent.service">https://anonscm.debian.org/cgit/collab-maint/iptables-persistent.git/tree/systemd/netfilter-persistent.service</a>

*

<a href="https://anonscm.debian.org/cgit/collab-maint/iptables-persistent.git/tree/netfilter-persistent">https://anonscm.debian.org/cgit/collab-maint/iptables-persistent.git/tree/netfilter-persistent</a>

* <a href="https://packages.debian.org/de/jessie/iptables-persistent">https://packages.debian.org/de/jessie/iptables-persistent</a>

<span class="quote">> netfilter-persistent uses a set of plugins to load, flush and save netfilter rules at boot and halt time. Plugins can be written in any suitable language and stored in /usr/share/netfilter-persistent/plugins.d </span >

<span class="quote">> Plugins can be written in any language and are merely executed by netfilter-persistent with a single argument. All plugins are stored in `/usr/share/netfilter-persistent/plugins.d`.</span >

<span class="quote">> Plugins must implement the start flush and save arguments and must not rely on additional arguments for other functionality.

> Plugins must return 0 on success and any other code on failure. </span >

It also has a `FLUSH_ON_STOP` option, which is disabled by default.

Overall I think, that netfilter-persistent thought this through quite well and

came up with a nice mechanism. However, it is not that simple to get everything

right.

netfilter-persistent bug reports:

* netfilter-persistent loads firewall rules too late -

<a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829640">http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829640</a>

* netfilter-persistent systemd service does not lock the network if

netfilter-persistent wrapper is failing at system bootup -

<a href="http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829752">http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829752</a>

Perhaps something could be learned from netfilter-persistent and perhaps it

could be upstreamed to netfilter.

### systemd

systemd developer Lennart Poettering said, that this does not belong into the

systemd project, but perhaps into the netfilter project. Source:

<a href="https://github.com/systemd/systemd/issues/3661">https://github.com/systemd/systemd/issues/3661</a></pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are watching all bug changes.</li>

      </ul>

    </body>

</html>