This patch adds a reload() function to the iptables startup script to allow for just flushing of the rules and loading of new rules (not completely resetting policies which is what stop() does). The reason for this is that currently during the rule-reload period, a hole is potentially opened because all the policies are reset to ACCEPT. With this patch one can run /etc/init.d/iptables reload without having policies reset. Granted, the likelyhood of an incident during the short rule-reload period is very slim, but every bit of security is good security. This patch also fixes all the iptables commands to use the absolute path instead of relying on $PATH. I read somewhere (can't recall where at the moment) a gentoo policy that this is the correct way of handling things. I imagine something similar should be applied to ip6tables, but I will leave that to the more-wise-than-I. :-)
Created attachment 12474 [details, diff] iptables.init reload() patch
In CVS, thanks!
