Ivan Shmakov a écrit : > > Strangely, I cannot find where these directories are documented. > Could you provide a pointer, please?
The 'interfaces' manpage contains some information about /etc/network/if-*.d directories and exported variables. There are also some examples in /usr/share/doc/ifupdown/examples/. >>> ... Also, is there any good reason to change the firewall >>> configuration as the interfaces are brought up and down at all? >> >> Yes, when iptables rules need some parameters such as interface name, >> address... which are variable. > > Any particular example to consider? > >> This is rather common for PPP interfaces. > > Well, yes, though I'd consider using the `unit' pppd(8) option > to fix the interface name once and for all. "unit" is not always enough. An example is a PPP server which accepts multiple clients simultaneously and gives each one a different address. A script in /etc/ppp/ip-up.d/ can use the interface name and the remote address to block IP spoofing by clients : iptables -A FORWARD -i $PPP_IFACE -s ! $PPP_REMOTE -j DROP Another example is when an interface gets a dynamic address and you want to create a DNAT rule that matches only on that address : iptables -t nat -A PREROUTING -d $PPP_LOCAL -p tcp --dport <port> \ -j DNAT --to <server>:<port> You cannot do that with a static ruleset. -- To UNSUBSCRIBE, email to [email protected] with a subject of "unsubscribe". Trouble? Contact [email protected]
