Re: Forcing DNS/NTP V2 - new approach

[Michael Tremer <michael.tremer@ipfire.org>]

[-- Attachment #1: Type: text/plain, Size: 2977 bytes --]

Hi,

> On 30 Dec 2020, at 08:28, Matthias Fischer <matthias.fischer(a)ipfire.org> wrote:
> 
> Hi,
> 
> since restarting the *whole* firewall through '/etc/rc.d/init.d/firewall
> restart' as I did before is NOT an option, I'm thinking about another -
> simpler way - to do this.
> 
> As Michael wrote "There are plenty of temporary rules that are being
> created and which simply will get lost after restarting the firewall.
> Mainly this affects IPsec, but also QoS."
> 
> For me - and of course for everybody who uses IPSec or QoS - this is a
> showstopper. Saving the affected - temporary rules - is too complicated
> (for me). I'm trying to make this as simple as possible.

Independently from all of this DNS stuff, I would still be interested in this feature.

It would be possible to stop IPsec, then flush the firewall and start it again.

Tunnels would of course be gone for a brief moment, but that should not be too disruptive. I am not sure how we can make this clear when someone hits the “Save” button that this could disrupt things.

> So I'm thinking about separating the DNS/NTP-commands and use them in a
> another init-file, apart from the firewall initscript.
> I just want to "go out of the way". ;-)
> 
> As I see it, IPSec and QoS (e.g) would not be affected and furthermore
> we would perhaps have the choice to control some other settings through
> this file.
> E.g., the settings from '/var/ipfire/optionsfw/settings' are processed
> in various control files, see:
> https://community.ipfire.org/t/forcing-all-dns-traffic-from-the-lan-to-the-firewall/3512/89
> 
> And perhaps that would give us the chance to tidy things up. Just a thought.

I like tidying things up.

> So what about using an 'optionsfw' initscript for the DNS/NTP rules?
> 
> This and *only* this file would be started through "Save and Restart' on
> 'optionsfw.cgi', using a new binary. As before, this would be
> 'optionsfwctrl(.c)', now just containing a call of
> '/etc/rc.d/init.d/optionsfw'. Controlling other settings could be added
> as needed. A complete firewall restart is NOT initiated.

That would be possible, too. Right now we simply do not have some things in separate functions that we could only reload the parts that we want. Most of the firewall is static anyways and wherever we have dynamic rules, those are in a chain that could be flushed and then recreated.

> In this init, the existence of the needed values is first checked, and
> only processed if they exist (e.g.):
> ...
> if [ -z "$DNS_FORCE_ON_GREEN" ] && [ "$DNS_FORCE_ON_GREEN" == "on" ]; then
> ...

This is very redundant. If you want to check for “on”, that implies that the variable isn’t empty. It if it empty, you do not care.

> The only affected chain is CUSTOMPREROUTING, so other
> functionalities/chains (IPSec, QoS) should not be affected.
> 
> May I ask for your opinions? ;-)
> 
> Best,
> Matthias

-Michael