On Sat, Sep 08, 2001 at 05:15:01PM +0800, Ian C. Sison wrote: > It _is_ a bug in that it should not segfault when given a wrong input > stream. If the format of the file changed radically from ipchains-save, > then this situation should be handled gracefully, and not with a segfault. > Segfaults leave users clueless and will find a way around it. In fact the > original iniscript even called iptables-restore with a '-f' flag, which > led me to believe that the package was not tested before it was released. > More doubt here. I agree that it shouldn't be segfaulting. That's why I'm spending today figuring out how to patch it so it doesn't. Actually I think I know how I just need to setup a copy in vmware since my firewall doesn't have development tools. > Furthermore, As /etc/sysconfig/iptables (like ipchains) is coded manually, > to effect global settings to the firewall, incidents like this will occur, > and segfaults are truly misleading. MY mistake was that i didn't look > much into the format of iptables-save before reporting the error. > > In any case. now that that is cleared up what is more correct? The old > format of ipchains in /etc/sysconfig/iptables (which a lot of people are > used to), or follow the new convention of iptables-restore? I think we need to follow the new conventions. Or make iptables-restore, pay attention to the -t. I think I can make the latter work pretty easily. Which should make your existing /etc/sysconfig/iptables work, but at the same time make iptables-save output work as well. I think making it work for more people is the better solution. -- Ben Reser <[EMAIL PROTECTED]> http://ben.reser.org Just when you think you're not in Kansas anymore, turns out you are! - Colonel Jack O'Neill SG1
