yves
/
pyruse
1
0
Fork 1
Code Issues 1 Pull-Requests Releases Wiki Aktivität

iptables compliance #1

Neues Issue
Geschlossen
2018-02-22 16:42:14 +01:00 von theonlydoo geöffnet · 2 Kommentare
theonlydoo hat 2018-02-22 16:42:14 +01:00 kommentiert

hi there,

Great initiative. Quick question tho : why leave iptables out of the project scope? Is it a planned feature or a design choice?

(based on

nftables if IP address bans are to be managed;
here)

hi there, Great initiative. Quick question tho : why leave iptables out of the project scope? Is it a planned feature or a design choice? (based on > nftables if IP address bans are to be managed; [here](https://yalis.fr/git/yves/pyruse/src/branch/master/doc/install.md))
yves hat 2018-02-22 19:11:13 +01:00 kommentiert
Besitzer

Hi theonlydoo,

Thanks for your interest in this software.
The reason for leaving out iptables in favour of nftables is twofold:

  • First, nftables is the “next generation”, and with this whole project (of which Pyruse is only a part), I strive to stick to modern solutions, leaving out software for which there are newer and “better” (in my eye) alternatives.
  • Second and not least, nftables includes the ability to handle timeouts, an ability that iptables lacks to my —admittedly limited— knowledge. Indeed, you may have noticed that the Pyruse software is entirely “passive”, or rather reactive; for instance, it does not include a scheduler, and is thus poorly equipped to deal with clock-based events.

That said, there are several ways for including iptables support in Pyruse; here are a few:

  • The simplest way is probably to rely on the system’s scheduler (atd, or even better, systemd) to manage the timeouts.
  • Or Pyruse could include its own scheduler, that would run in a separate thread.
  • There might also be a solution using the ipset extension in conjunction with ConnTrack’s timeout policies (but I know next to nothing on this topic)…

Either way would probably be rather easy to implement, and I’d be willing to implement the first method, if you think it is useful.
Cheers,

Hi theonlydoo, Thanks for your interest in this software. The reason for leaving out iptables in favour of nftables is twofold: * First, nftables is the “next generation”, and with this whole project (of which Pyruse is only a part), I strive to stick to modern solutions, leaving out software for which there are newer and “better” (in my eye) alternatives. * Second and not least, nftables includes the ability to handle timeouts, an ability that iptables lacks to my —admittedly limited— knowledge. Indeed, you may have noticed that the Pyruse software is entirely “passive”, or rather reactive; for instance, it does not include a scheduler, and is thus poorly equipped to deal with clock-based events. That said, there are several ways for including iptables support in Pyruse; here are a few: * The simplest way is probably to rely on the system’s scheduler (atd, or even better, systemd) to manage the timeouts. * Or Pyruse could include its own scheduler, that would run in a separate thread. * There might also be a solution using the [ipset](http://ipset.netfilter.org/iptables-extensions.man.html) extension in conjunction with ConnTrack’s timeout policies (but I know next to nothing on this topic)… Either way would probably be rather easy to implement, and I’d be willing to implement the first method, if you think it is useful. Cheers,
yves hat dieses Issue 2018-03-17 17:46:33 +01:00 aus einem Commit referenziert
ipset support; fixes #1
yves hat diesen Issue 2018-03-17 17:46:33 +01:00 geschlossen
yves hat 2018-03-18 11:56:26 +01:00 kommentiert
Besitzer

It is the third solution after all, as this solution benefits from automatic timeouts, the same way nftables does.
Since I do not use iptables/ipset myself, I’d be grateful if someone could report back to me if the module works or not!

It is the third solution after all, as this solution benefits from automatic timeouts, the same way nftables does. Since I do not use iptables/ipset myself, I’d be grateful if someone could report back to me if the module works _or not_!
Anmelden, um an der Diskussion teilzunehmen.
Keine Branch/Tag angegeben
Branches Tags
master
rust-rewrite
2.0
1.1
1.0
Label
Label entfernen
Keine Einträge
Kein Label
Meilenstein
Meilenstein entfernen
Keine Einträge
Kein Meilenstein
Zuständig
Zuständige entfernen
Niemand zuständig
2 Beteiligte
Nachrichten
Fällig am
Das Fälligkeitsdatum ist ungültig oder außerhalb des zulässigen Bereichs. Bitte verwende das Format „jjjj-mm-tt“.

Kein Fälligkeitsdatum gesetzt.

Abhängigkeiten

Keine Abhängigkeiten gesetzt.

Referenz: yves/pyruse#1
Hier gibt es bis jetzt noch keinen Inhalt.
Branch "%!s(<nil>)" löschen

Das Löschen eines Branches ist permanent. Es KANN NICHT rückgängig gemacht werden. Fortfahren?