`setfont t` is the internet’s next rickroll.Posted at 6:33pm on Sun 26 Aug 2012
Just lost a 24-port switch, NIC, and video card to lightning because Time Warner told me twice to stop surge protecting my coax cable.Posted at 4:04pm on Sun 26 Aug 2012
“Contributors are awesome. If you're thinking about contributing, that means you're thinking about being awesome.” (http://t.co/56XCgXZV)Posted at 9:19pm on Sun 19 Aug 2012
Any Linux users who have customized the
/etc/sysconfig/iptables file may have run into a really short-sighted problem: you cannot place comments at the end of a line. All comments apparently must start at column one on any given line. Otherwise, you get this problem when reloading your ruleset (at least on CentOS 5.4):
[root@dal-br-01 sysconfig]# service iptables restart Flushing firewall rules: [ OK ] Setting chains to policy ACCEPT: mangle nat filter [ OK ] Unloading iptables modules: [ OK ] Applying iptables firewall rules: Bad argument `##' Error occurred at line: 55 Try `iptables-restore -h' or 'iptables-restore --help' for more information. [FAILED]
This may be intentional, but it is so incredibly short-sighted and inconsistent with nearly every other configuration file and script on the system that I’m considering it an actual bug.
Changing the file is not an option for me, as my
iptables file is chock-full of lines that look like this:
-A PREROUTING -p tcp -m tcp --dport 22 -j MARK --set-mark 0x11 ## SSHD -A PREROUTING -p udp -m udp --dport 53 -j MARK --set-mark 0x11 ## DNS -A PREROUTING -p tcp -m tcp --dport 5060:5061 -j MARK --set-mark 0x11 ## SIP / SIP-TLS
And so it continues for several hundred lines, and ultimately with a ton of very obscure, non-standard port numbers.With so many rules, most of which are for non-standard ports, comments are crucial. Placing them on their own line makes for an unintuitive mess, i.e., “does that comment apply to the rule above it or below it? And WTF is this one?” and so forth.
To work around it, I’ve made a few very small changes. Please note that this will likely jeopardize the functionality of iptables-save! On the other hand, saving ad-hoc rules that were created after the initial load is not relevant nor important to me since I’ve chosen to use a custom ruleset file.
/etc/sysconfig/iptables.input. Make sure the permissions are the same (0600) as the original. Then you’ll modify
/etc/rc.d/init.d/iptables in two places, starting with the variable list at the top. Add a new variable at the bottom of that variables block, and set it to the path to the aforementioned
iptables.input file thusly:
start() function in the
/etc/rc.d/init.d/iptables script to read the contents of the new
iptables.input file, strip all comments out, and pipe it to the existing
iptables file. This should be performed directly before the line that executes $IPTABLES-restore:
cat $IPTABLES_DATA_INPUT | sed -e 's/ #.*$//' > $IPTABLES_DATA $IPTABLES-restore $OPT $IPTABLES_DATA
Afterwards, reloading rules with
service iptables restart no longer causes any sort of implosion. Opening
/etc/sysconfig/iptables after doing so shows that it has no inline comments. Going forward, all changes must be made in the iptables.input file, since the iptables file now gets overwritten at each start/restart.
So there you have it. There might be a more preferred way to do this, but this was the best method for my environment. Hopefully this helps others in the same boat.