- port to netfilter-persistent?
- It might be more appropriate to get the firewall loaded before any networking gets up than whonix-firewall.service.
- Could therefore simplify the setup, and
- allow additional custom/extension-package firewall rules being load before and after Whonix Firewall.
- NOT iptables-persistent
- (which is more useful to local system administrators rather than distribution maintainers)
cat /usr/share/doc/netfilter-persistent/README netfilter-persistent and its plugins ------------------------------------ netfilter-persistent does no work on its own. You need the accompanying plugins (for example, iptables-persistent) to load and save filter rules. However, commands are run from netfilter-persistent. For example, to save all filter rules: netfilter-persistent save or to load them: netfilter-persistent start For more details, see `man netfilter-persistent`. The system service will try to load rules at startup if enabled, but by default it will not flush rules at shutdown. This behaviour can be changed by editing /etc/default/netfilter-persistent. -- Jonathan Wiltshire <email@example.com> Sat, 02 Jan 2016 00:00:00 +0000
DESCRIPTION netfilter-persistent uses a set of plugins to load, flush and save netfilter rules at boot and halt time. Plugins can be written in any suitable language and stored in /usr/share/netfilter-persistent/plugins.d
PLUGINS Plugins can be written in any language and are merely executed by netfilter-persistent with a single argument. All plugins are stored in /usr/share/netfilter-persis‐ tent/plugins.d Plugins must implement the start flush and save arguments and must not rely on additional arguments for other functionality. Plugins must return 0 on success and any other code on failure. Plugins are free to use and extend the configuration in /etc/default/netfilter-persistent and to implement their own configuration files.
netfilter-persistent loads firewall rules too late
- netfilter-persistent systemd service does not lock the network if netfilter-persistent wrapper is failing at system bootup
- add dpkg trigger for /usr/share/netfilter-persistent/plugins.d folder to have newly installed plugins take effect
systemd feature request:
please provide a firewall scripts drop-in folder