Discussion:
Bug#926927: Please add iptables.service and ip6tables.service symlinks
(too old to reply)
Laurent Bigonville
2019-04-12 10:50:01 UTC
Permalink
Package: iptables-persistent
Version: 1.0.12
Severity: normal
Tags: patch

Hi,

In other distributions, (mainly RH/Fedora) their equivalant package
(iptables-services) is installing systemd iptables.service and
ip6tables.service files.

Some other services (like firewalld) are using these in their own
.service file as dependency or conflict

Would be nice if iptables-persistent was adding symlinks so other
services doesn't need to be modified

Kind regards,
Laurent Bigonville

-- System Information:
Debian Release: buster/sid
APT prefers unstable-debug
APT policy: (500, 'unstable-debug'), (500, 'unstable'), (1, 'experimental-debug'), (1, 'experimental')
Architecture: amd64 (x86_64)

Kernel: Linux 5.0.0-trunk-amd64 (SMP w/8 CPU cores)
Locale: LANG=fr_BE.UTF-8, LC_CTYPE=fr_BE.UTF-8 (charmap=UTF-8), LANGUAGE=fr_BE:fr (charmap=UTF-8)
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
gustavo panizzo
2019-08-11 17:00:01 UTC
Permalink
Hello

thanks for the patch, I'm working on this but I'll use alternatives
instead of dh_link, to provide an oportinity to other firewall managers
to use the same mechanism.

I'll test more the solution then upload
--
IRC: gfa
GPG: 0x27263FA42553615F904A7EBE2A40A2ECB8DAD8D5
OLD GPG: 0x44BB1BA79F6C6333
Laurent Bigonville
2019-08-12 06:40:01 UTC
Permalink
Post by gustavo panizzo
Hello
Hello,
Post by gustavo panizzo
thanks for the patch, I'm working on this but I'll use alternatives
instead of dh_link, to provide an oportinity to other firewall managers
to use the same mechanism.
There are other ways of achieving that with systemd, maybe a .target?
That might be a good idea to see with systemd upstream if such a target
cannot be introduced to avoid doing something debian specific

I don't think that the alternative system is a good idea
gustavo panizzo
2019-08-12 20:20:02 UTC
Permalink
Hello
Post by Laurent Bigonville
Post by gustavo panizzo
Hello
Hello,
Post by gustavo panizzo
thanks for the patch, I'm working on this but I'll use alternatives
instead of dh_link, to provide an oportinity to other firewall managers
to use the same mechanism.
There are other ways of achieving that with systemd, maybe a .target?
That might be a good idea to see with systemd upstream if such a
target cannot be introduced to avoid doing something debian specific
I don't understand what would I achieve using a systemd target? targets
are coordination points, similar to a runlevel.

I could create a firewall.target and add WantedBy=firewall.target on
iptables-persistent.service but that would not prevent firewalld and
others to do the same and then we'd have multiple firewall managers
running at the same time.

If I got it all wrong and you have a counter example, pls show me
Post by Laurent Bigonville
I don't think that the alternative system is a good idea
It is an extension of your initial idea, I don't want to exclusively own
iptables.service and then conflict with other firewall managers (ufw, arno,
ferm, etc) that may want to do the same, I have discussed this with
their maintainers.

I want users to be allowed to install more than one firewall manager at
the same time but not run more than one at the same time.
--
IRC: gfa
GPG: 0x27263FA42553615F904A7EBE2A40A2ECB8DAD8D5
OLD GPG: 0x44BB1BA79F6C6333
Loading...