netfilter buglog - Jul 2016 - [Bug 1078] New: please provide a firewall scripts drop-in folder

https://bugzilla.netfilter.org/show_bug.cgi?id=1078

            Bug ID: 1078
           Summary: please provide a firewall scripts drop-in folder
           Product: iptables
           Version: unspecified
          Hardware: other
                OS: All
            Status: NEW
          Severity: enhancement
          Priority: P5
         Component: unknown
          Assignee: netfilter-buglog at lists.netfilter.org
          Reporter: adrelanos at riseup.net

### feature request

Please provide a firewall scripts drop-in folder.

I.e. please provide a folder such as
`/usr/share/netfilter-persistent/plugins.d` where one can drop arbitrary
scripts which will be executed early enough during the boot process in lexical
order when the netfilter-persistent.service is started.

Firewall rules ought to be load before anything might issue any network
traffic. And there also should be a failure condition that fails closed.

Providing this by the netfilter project would provide a sane, secure,
canonical, distribution-agnostic way to get firewall scripts loaded. This is
better than various sysadmins and distributions coming up with custom
mechanisms and getting them wrong since all of this is non-trivial.

### existing similar implementation / alternative

There already is netfilter-persistent which is attempting to do that.

* http://manpages.org/netfilter-persistent/8
*
https://anonscm.debian.org/cgit/collab-maint/iptables-persistent.git/tree/systemd/netfilter-persistent.service
*
https://anonscm.debian.org/cgit/collab-maint/iptables-persistent.git/tree/netfilter-persistent
* https://packages.debian.org/de/jessie/iptables-persistent
> netfilter-persistent uses a set of plugins to load, flush and save
netfilter rules at boot and halt time. Plugins can be written in any suitable
language and stored in /usr/share/netfilter-persistent/plugins.d
> Plugins can be written in any language and are merely executed by
netfilter-persistent with a single argument. All plugins are stored in
`/usr/share/netfilter-persistent/plugins.d`.
> Plugins must implement the start flush and save arguments and must not rely
on additional arguments for other functionality.
> Plugins must return 0 on success and any other code on failure. 
It also has a `FLUSH_ON_STOP` option, which is disabled by default.

Overall I think, that netfilter-persistent thought this through quite well and
came up with a nice mechanism. However, it is not that simple to get everything
right.

netfilter-persistent bug reports:

* netfilter-persistent loads firewall rules too late -
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829640
* netfilter-persistent systemd service does not lock the network if
netfilter-persistent wrapper is failing at system bootup -
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=829752

Perhaps something could be learned from netfilter-persistent and perhaps it
could be upstreamed to netfilter.

### systemd

systemd developer Lennart Poettering said, that this does not belong into the
systemd project, but perhaps into the netfilter project. Source:
https://github.com/systemd/systemd/issues/3661

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160707/f5470a5a/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1078

Patrick Schleizer <adrelanos at riseup.net> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |adrelanos at riseup.net

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20160707/56ba4631/attachment.html>

https://bugzilla.netfilter.org/show_bug.cgi?id=1078

Oliver Ford <ojford at gmail.com> changed:

           What    |Removed                     |Added
----------------------------------------------------------------------------
                 CC|                            |ojford at gmail.com

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL:
<http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170430/479864d1/attachment.html>