From: Patrick McHardy <kaber@trash.net>
To: Victor Stinner <victor.stinner@inl.fr>
Cc: netfilter-devel@vger.kernel.org
Subject: Re: iptables-save and ip6tables-save exit code with no tables
Date: Wed, 22 Oct 2008 08:29:47 +0200 [thread overview]
Message-ID: <48FEC85B.5020406@trash.net> (raw)
In-Reply-To: <200810211136.49892.victor.stinner@inl.fr>
Victor Stinner wrote:
> When I setup the firewall rules, I would like to be able to "rollback" to the
> previous valid state. I'm using this pseudo-code:
> iptables-save > previous_rules
> iptables-restore < new_rules
> on error:
> iptables-restore < previous_rules
>
> First problem is that iptables-save doesn't load the needed kernel modules to
> get the table list. Second problem is that iptables-save (with no argument)
> exit with code 0 (success) even if /proc/net/ip_tables_names is empty.
>
> In my pseudo-code: if previous_rule is empty, "iptables-restore <
> previous_rules" doesn't restore the previous status (iptables-restore does
> nothing with empty input). I have to check iptables-save exit code *and* that
> previous_rules is not empty.
>
> If the kernel module ip_tables is loaded, /proc/net/ip_table_names exists but
> is empty. The module iptable_filter is needed to
> fill /proc/net/ip_table_names.
>
> Same problems with ip6tables-save with /proc/net/ip6_tables_names, and modules
> ip6_tables and ip6table_filter.
Its actually ip_tables and ip6_tables that are needed to create this
file.
> Attached patch change iptables-save and ip6tables-save behaviour: if there is
> no table, print the message:
> iptables-save v1.4.1: /proc/net/ip_tables_names is empty
> and the exit code is 1 (error).
>
> The message may be changed for a better message :-)
I don't think we should treat this as an error, but simply output
nothing. Regarding rollback, iptables-save/restore can't know about
not-loaded tables, so what you should do is either load the table
modules manually or use the "-t" parameter to iptables-save.
prev parent reply other threads:[~2008-10-22 6:29 UTC|newest]
Thread overview: 2+ messages / expand[flat|nested] mbox.gz Atom feed top
2008-10-21 9:36 iptables-save and ip6tables-save exit code with no tables Victor Stinner
2008-10-22 6:29 ` Patrick McHardy [this message]
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=48FEC85B.5020406@trash.net \
--to=kaber@trash.net \
--cc=netfilter-devel@vger.kernel.org \
--cc=victor.stinner@inl.fr \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.