[Bug 1078] New: please provide a firewall scripts drop-in folder

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Thu Jul 7 15:49:31 CEST 2016 

https://bugzilla.netfilter.org/show_bug.cgi?id=1078

            Bug ID: 1078
           Summary: please provide a firewall scripts drop-in folder
           Product: iptables
           Version: unspecified
          Hardware: other
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: unknown
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: adrelanos at riseup.net

### feature request

Please provide a firewall scripts drop-in folder.

I.e. please provide a folder such as
`/usr/share/netfilter-persistent/plugins.d` where one can drop arbitrary
scripts which will be executed early enough during the boot process in lexical
order when the netfilter-persistent.service is started.

Firewall rules ought to be load before anything might issue any network
traffic. And there also should be a failure condition that fails closed.

Providing this by the netfilter project would provide a sane, secure,
canonical, distribution-agnostic way to get firewall scripts loaded. This is
better than various sysadmins and distributions coming up with custom
mechanisms and getting them wrong since all of this is non-trivial.

### existing similar implementation / alternative

There already is netfilter-persistent which is attempting to do that.

* http://manpages.org/netfilter-persistent/8
*
https://anonscm.debian.org/cgit/collab-maint/iptables-persistent.git/tree/systemd/netfilter-persistent.service
*
https://anonscm.debian.org/cgit/collab-maint/iptables-persistent.git/tree/netfilter-persistent
* https://packages.debian.org/de/jessie/iptables-persistent

> netfilter-persistent uses a set of plugins to load, flush and save netfilter rules at boot and halt time. Plugins can be written in any suitable language and stored in /usr/share/netfilter-persistent/plugins.d 

> Plugins can be written in any language and are merely executed by netfilter-persistent with a single argument. All plugins are stored in `/usr/share/netfilter-persistent/plugins.d`.

> Plugins must implement the start flush and save arguments and must not rely on additional arguments for other functionality.
> Plugins must return 0 on success and any other code on failure. 

It also has a `FLUSH_ON_STOP` option, which is disabled by default.

Overall I think, that netfilter-persistent thought this through quite well and
came up with a nice mechanism. However, it is not that simple to get everything
right.

netfilter-persistent bug reports:

* netfilter-persistent loads firewall rules too late -
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829640
* netfilter-persistent systemd service does not lock the network if
netfilter-persistent wrapper is failing at system bootup -
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829752

Perhaps something could be learned from netfilter-persistent and perhaps it
could be upstreamed to netfilter.

### systemd

systemd developer Lennart Poettering said, that this does not belong into the
systemd project, but perhaps into the netfilter project. Source:
https://github.com/systemd/systemd/issues/3661

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160707/f5470a5a/attachment.html>

More information about the netfilter-buglog mailing list