Package: iptables-persistent
Version: 0.0.20100801
Severity: wishlist
Hi.
Could you please merge the attached version of the initscript.
It would have the following improvements:
- Load IPv6 rules (if a file for them is there), fixing #541459.
- Changes the rules filenames to ipv4-rules and ipv6-rules.
- "Implement" the restart action, which makes sense to re-load the rules if
people changed them.
Security related improvements:
- Guarantees via LSB headers, that it is run _before_ networking is brought up.
This is rather important, as otherwise packages might slip through, until
the script actually runs.
- Catch the exit status of ip[6]tables-restore, and if any of them is non-zero
set the exit status of the initscript to the (LSB conformant) value of 1.
Otherwise people might not notice, if their rule-files contain errors
and can therefore not be loaded.
Cheers,
Chris.
#!/bin/sh
### BEGIN INIT INFO
# Provides: iptables-persistent
# Required-Start: mountkernfs $local_fs
# Required-Stop: $local_fs
# Default-Start: S
# Default-Stop:
# X-Start-Before: $network
# X-Stop-After: $network
# Short-Description: Set up iptables rules
### END INIT INFO
rc=0
load_rules()
{
#load IPv4 rules
if [ -f /etc/iptables/ipv4-rules ]; then
iptables-restore < /etc/iptables/ipv4-rules
if [ $? -ne 0 ]; then
${rc}=1
fi
fi
#load IPv6 rules
if [ -f /etc/iptables/ipv6-rules ]; then
ip6tables-restore < /etc/iptables/ipv6-rules
if [ $? -ne 0 ]; then
${rc}=1
fi
fi
}
case "$1" in
start)
load_rules
;;
restart)
load_rules
;;
stop|force-stop|force-reload|status)
;;
*)
echo "Usage: $0 {start|stop|force-stop|restart|force-reload|status}" >&2
exit 1
;;
esac
exit "${rc}"
