Re: [PATCH 0/4] Network Zones support

[Ludwig Nussel <ludwig nussel suse de>]

Dan Williams wrote:
> One other note; if we want to block a bit on the firewall setting things
> up, we want to slot this in during "stage3" (ip config start) before
> "stage4" (ip config get) gets called, because only them do we know the
> actual interface name to send to the firewall.  For things like PPP,
> PPPoE, Bluetooth DUN, etc, we don't know the actual IP interface name
> until halfway through the connection setup process.  But at that point
> it should be safe to block for a short time for the firewall to do its
> work.
> 
> One other thought though, how do we handle DHCP with the firewall?  NM
> tries to do DHCP (which might need holes punched and stuff) during
> "stage3", which in  my proposal above is before the firewall would be
> told the interface name.  Is that a problem?

DHCP clients bypass iptables for address configuration so the core
DHCP feature should be fine. If the DHCP client or some hook script
performs e.g. DNS lookups working connection tracking might be needed
though. As long as the firewall always has a fallback rule that
allows such kind of traffic for unassigned interfaces it's fine though.

cu
Ludwig

-- 
 (o_   Ludwig Nussel
 //\
 V_/_  http://www.suse.de/
SUSE LINUX Products GmbH, GF: Jeff Hawn, Jennifer Guild, Felix Imendörffer, HRB 16746 (AG Nürnberg)