Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 21801

Summary: /etc/init.d/iptables reload() support
Product: Gentoo Linux Reporter: Max Kalika (RETIRED) <max>
Component: [OLD] Core systemAssignee: Daniel Ahlberg (RETIRED) <aliz>
Status: RESOLVED FIXED    
Severity: normal    
Priority: High    
Version: 1.4_rc4   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---
Attachments: iptables.init reload() patch

Description Max Kalika (RETIRED) gentoo-dev 2003-05-27 18:59:30 UTC 
This patch adds a reload() function to the iptables startup script to allow for just flushing of 
the rules and loading of new rules (not completely resetting policies which is what stop() 
does).  The reason for this is that currently during the rule-reload period, a hole is 
potentially opened because all the policies are reset to ACCEPT.  With this patch one can 
run /etc/init.d/iptables reload without having policies reset.  Granted, the likelyhood of an 
incident during the short rule-reload period is very slim, but every bit of security is good 
security. 
 
This patch also fixes all the iptables commands to use the absolute path instead of relying 
on $PATH.  I read somewhere (can't recall where at the moment) a gentoo policy that this 
is the correct way of handling things. 
 
I imagine something similar should be applied to ip6tables, but I will leave that to the 
more-wise-than-I. :-)
Comment 1 Max Kalika (RETIRED) gentoo-dev 2003-05-27 19:00:15 UTC 
Created attachment 12474 [details, diff]
iptables.init reload() patch
Comment 2 Daniel Ahlberg (RETIRED) gentoo-dev 2004-01-23 13:55:48 UTC 
In CVS, thanks!