Re: /etc/init.d/iptables

[Ivan Shmakov <oneingray@gmail.com>]

>>>>> Pascal Hambourg <pascal.mail@plouf.fr.eu.org> writes:
>>>>> Ivan Shmakov a écrit :
>>>>> Pascal Hambourg <pascal.mail@plouf.fr.eu.org> writes:

 >>> Indeed.  My opinion is that only interface-specific action such as
 >>> creating interface-specific firewall rules should be performed in
 >>> /etc/network/if-*.d/ scripts,

 >> Huh?  Why one might need to put interface-specific scripts into
 >> non-interface-specific if-*.d/ directories?  Did you mean
 >> /etc/network/interfaces {pre,post}-{up,down} options here?

 > These scripts get interface parameters such as name, address, custom
 > options... defined in /etc/network/interface and thus can perform
 > interface-specific tasks while being versatile.

	Strangely, I cannot find where these directories are documented.
	Could you provide a pointer, please?

 >>> as well as in /etc/ppp/ip*.d/ scripts.

 >> ... Also, is there any good reason to change the firewall
 >> configuration as the interfaces are brought up and down at all?

 > Yes, when iptables rules need some parameters such as interface name,
 > address... which are variable.

	Any particular example to consider?

 > This is rather common for PPP interfaces.

	Well, yes, though I'd consider using the `unit' pppd(8) option
	to fix the interface name once and for all.

	It's likely that I'm missing something trivial here, but it
	somehow seems to me that at least the major part of the
	iptables(8) configuration is going to be static anyway.

-- 
FSF associate member #7257