Forcing DNS/NTP V2 - new approach

[Matthias Fischer <matthias.fischer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 1945 bytes --]

Hi,

since restarting the *whole* firewall through '/etc/rc.d/init.d/firewall
restart' as I did before is NOT an option, I'm thinking about another -
simpler way - to do this.

As Michael wrote "There are plenty of temporary rules that are being
created and which simply will get lost after restarting the firewall.
Mainly this affects IPsec, but also QoS."

For me - and of course for everybody who uses IPSec or QoS - this is a
showstopper. Saving the affected - temporary rules - is too complicated
(for me). I'm trying to make this as simple as possible.

So I'm thinking about separating the DNS/NTP-commands and use them in a
another init-file, apart from the firewall initscript.
I just want to "go out of the way". ;-)

As I see it, IPSec and QoS (e.g) would not be affected and furthermore
we would perhaps have the choice to control some other settings through
this file.
E.g., the settings from '/var/ipfire/optionsfw/settings' are processed
in various control files, see:
https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512/89

And perhaps that would give us the chance to tidy things up. Just a thought.

So what about using an 'optionsfw' initscript for the DNS/NTP rules?

This and *only* this file would be started through "Save and Restart' on
'optionsfw.cgi', using a new binary. As before, this would be
'optionsfwctrl(.c)', now just containing a call of
'/etc/rc.d/init.d/optionsfw'. Controlling other settings could be added
as needed. A complete firewall restart is NOT initiated.

In this init, the existence of the needed values is first checked, and
only processed if they exist (e.g.):
...
if [ -z "$DNS_FORCE_ON_GREEN" ] && [ "$DNS_FORCE_ON_GREEN" == "on" ]; then
...

The only affected chain is CUSTOMPREROUTING, so other
functionalities/chains (IPSec, QoS) should not be affected.

May I ask for your opinions? ;-)

Best,
Matthias