RedHat has "fixed" this issue now... but as I explain there in comment
36, I don't think it's a real fix.
The key missing point, IMHO, is a functionality in ipset to atomically
replace the existing sets with new sets (the atomically is crucial here
for security reasons),... AND... that it is check
The previously attached script is still buggy in some situations,... and
doesn't detect whether reload can be done without problems.
I'm in the process of writing an ipset-restore which will handle all
this gracefully.
Cheers,
Chris.
smime.p7s
Description: S/MIME cryptographic signature
On Thu, 2012-12-20 at 18:21 +0100, Christoph Anton Mitterer wrote:
> Second... the ipsets broken is IMHO broken
That should have read:
Second... the ipsets program is IMHO broken
smime.p7s
Description: S/MIME cryptographic signature
tags 693177 +patch
forcemerge 693177 662743
stop
Hi.
First... when iptables-persistent should really support ipsets (which is
necessary IMHO)... then I suggest to rename the package
and /etc/iptables to netfilter-persistent respectively netfilter.
Simply, because it's no longer only iptables pers
Package: iptables-persistent
Version: 0.5.3+nmu1
Severity: wishlist
Hi.
Given that ipset is now parts of netfilter, it would IMHO
make sense if support was added for loading the IP sets from some
file.
For that it would probably make sense to rename iptables-persistent
to e.g. netfilter-persist
5 matches
Mail list logo
