On Fri, 7 Sep 2001, Ben Reser wrote:
> On Thu, Aug 30, 2001 at 07:50:52PM +0800, Ian C. Sison wrote:
> > Yes iptables works, but if you go via the /etc/sysconfig/iptables and
> > start it using the initscript of iptables, it will bomb out with a
> > segfault. iptables-restore has some bug, however if you invoke iptables
> > with the lines inside /etc/sysconfig/iptables individually, it works.
>
> WRONG WRONG WRONG WRONG! Don't do that. It'll start emmitting all
> kinds of errors when you do: /etc/init.d/iptables save which calls
> iptables-save.
>
> The problem is that iptables-restore doesn't realize people are doing
> things wrong and segfaults when it sees a -t flag.
>
> > I made a modification to the initscript and sent it off to the maintainer
> > of the package already.
>
> Yeah and they applied it and it causes preciously the problem I
> described above.
It _is_ a bug in that it should not segfault when given a wrong input
stream. If the format of the file changed radically from ipchains-save,
then this situation should be handled gracefully, and not with a segfault.
Segfaults leave users clueless and will find a way around it. In fact the
original iniscript even called iptables-restore with a '-f' flag, which
led me to believe that the package was not tested before it was released.
More doubt here.
Furthermore, As /etc/sysconfig/iptables (like ipchains) is coded manually,
to effect global settings to the firewall, incidents like this will occur,
and segfaults are truly misleading. MY mistake was that i didn't look
much into the format of iptables-save before reporting the error.
In any case. now that that is cleared up what is more correct? The old
format of ipchains in /etc/sysconfig/iptables (which a lot of people are
used to), or follow the new convention of iptables-restore?
