yves
/
pyruse
1
0
Bifurcation 1
Code Tickets 1 Demandes d'ajout Versions Wiki Activité

iptables compliance #1

Nouveau ticket
Fermé
créé 2018-02-22 16:42:14 +01:00 par theonlydoo · 2 commentaires
theonlydoo a commenté 2018-02-22 16:42:14 +01:00

hi there,

Great initiative. Quick question tho : why leave iptables out of the project scope? Is it a planned feature or a design choice?

(based on

nftables if IP address bans are to be managed;
here)

hi there, Great initiative. Quick question tho : why leave iptables out of the project scope? Is it a planned feature or a design choice? (based on > nftables if IP address bans are to be managed; [here](https://yalis.fr/git/yves/pyruse/src/branch/master/doc/install.md))
yves a commenté 2018-02-22 19:11:13 +01:00
Propriétaire

Hi theonlydoo,

Thanks for your interest in this software.
The reason for leaving out iptables in favour of nftables is twofold:

  • First, nftables is the “next generation”, and with this whole project (of which Pyruse is only a part), I strive to stick to modern solutions, leaving out software for which there are newer and “better” (in my eye) alternatives.
  • Second and not least, nftables includes the ability to handle timeouts, an ability that iptables lacks to my —admittedly limited— knowledge. Indeed, you may have noticed that the Pyruse software is entirely “passive”, or rather reactive; for instance, it does not include a scheduler, and is thus poorly equipped to deal with clock-based events.

That said, there are several ways for including iptables support in Pyruse; here are a few:

  • The simplest way is probably to rely on the system’s scheduler (atd, or even better, systemd) to manage the timeouts.
  • Or Pyruse could include its own scheduler, that would run in a separate thread.
  • There might also be a solution using the ipset extension in conjunction with ConnTrack’s timeout policies (but I know next to nothing on this topic)…

Either way would probably be rather easy to implement, and I’d be willing to implement the first method, if you think it is useful.
Cheers,

Hi theonlydoo, Thanks for your interest in this software. The reason for leaving out iptables in favour of nftables is twofold: * First, nftables is the “next generation”, and with this whole project (of which Pyruse is only a part), I strive to stick to modern solutions, leaving out software for which there are newer and “better” (in my eye) alternatives. * Second and not least, nftables includes the ability to handle timeouts, an ability that iptables lacks to my —admittedly limited— knowledge. Indeed, you may have noticed that the Pyruse software is entirely “passive”, or rather reactive; for instance, it does not include a scheduler, and is thus poorly equipped to deal with clock-based events. That said, there are several ways for including iptables support in Pyruse; here are a few: * The simplest way is probably to rely on the system’s scheduler (atd, or even better, systemd) to manage the timeouts. * Or Pyruse could include its own scheduler, that would run in a separate thread. * There might also be a solution using the [ipset](http://ipset.netfilter.org/iptables-extensions.man.html) extension in conjunction with ConnTrack’s timeout policies (but I know next to nothing on this topic)… Either way would probably be rather easy to implement, and I’d be willing to implement the first method, if you think it is useful. Cheers,
yves a référencé ce ticket depuis une révision 2018-03-17 17:46:33 +01:00
ipset support; fixes #1
yves a fermé ce ticket 2018-03-17 17:46:33 +01:00
yves a commenté 2018-03-18 11:56:26 +01:00
Propriétaire

It is the third solution after all, as this solution benefits from automatic timeouts, the same way nftables does.
Since I do not use iptables/ipset myself, I’d be grateful if someone could report back to me if the module works or not!

It is the third solution after all, as this solution benefits from automatic timeouts, the same way nftables does. Since I do not use iptables/ipset myself, I’d be grateful if someone could report back to me if the module works _or not_!
Connectez-vous pour rejoindre cette conversation.
Aucune branche/étiquette spécifiées
Branches Étiquettes
master
rust-rewrite
2.0
1.1
1.0
Étiquettes
Effacer les étiquettes
Pas d'élément
Pas d'étiquette
Jalon
Effacer le jalon
Pas d'élément
Aucun jalon
Affecté à
Supprimer les affectations
Pas d'assignataires
2 participants
Notifications
Échéance
La date d’échéance est invalide ou hors plage. Veuillez utiliser le format 'aaaa-mm-dd'.

Aucune échéance n'a été définie.

Dépendances

Aucune dépendance définie.

Référence : yves/pyruse#1
Il n'existe pas encore de contenu.
Supprimer la branche "%!s(<nil>)"

Supprimer une branche est permanent. Cette action est IRRÉVERSIBLE. Continuer ?