A couple of weeks ago I finally got round to doing some major surgery on iptables-persistent.
First of all it is principally now called netfilter-persistent (although the source package hasn’t been renamed) and has a plugin architecture so that it can be extended by other packages. One of those packages is iptables-persistent; others may follow. This opens the way to fixing #662743 and #697088 (patches always welcome).
There’s also a new binary to handle loading/unloading of rules, instead of having all the logic in an init script. I was therefore able to add systemd support as a first-class unit, and I’d appreciate patches for an Upstart service (as I’m largely unfamiliar with it).
Plugins are simply dropped into /usr/share/netfilter-persistent/plugins.d and must follow certain minimum conventions, detailed in netfilter-persistent(1). They can be any executable, so compiled or interpreted binaries are acceptable.
This release finally gets the magic 1.0 identifier. It reaches Jessie today, and is already in Ubuntu Utopic.
What would be neat to have are interface specific rules that are add/removed upon device up/down. I use something similar in /etc/network/if-up/down.d to do this but its ugly.
The ordering of the adding of rules would be needed and also maybe a magic string for each rule to know if it is to be removed (-m comment module for iptables, amybe) when the interface goes down.
Or maybe there is already something that does this?