New comment by heliocat on void-packages repository https://github.com/void-linux/void-packages/pull/31145#issuecomment-849818635 Comment: > I generally dislike splitting config files over those `blah.d` dirs (especially when they're scattered around the hier like sysctl.d..), but that's just a personal preference. If this change indeed serves a real and actual need right now, then so be it. > The void-infratructure project and the void-ansible-roles/network subproject uses blah.d directories and a dhcpcd hook script to assemble a composite firewall definition out of rules dropped into .d directories. My goal here is to move that logic out of a custom ansible-managed set of scripts and into the iptables package itself in order to have a cleaner migration path away from dhcpcd as the network manager for static addressed hosts. > > My only two other comments would be: > > The naming of the `rule` var may be misleading; those are `ruleset` fragments (technically tables since this is the minimum granule that iptables can operate on but oh well), rather than individual filtering rules being loaded at every iteration. > I don't have an opinion either way, if this is something you feel strongly about it's a fairly trivial change. > > Also, why not just `cat /etc/iptables/iptables.rules /etc/iptables.d/*.rules | iptables-restore` so that the entire aggregated ruleset will be loaded in one-go rather than invoking iptables-restore repeatedly? This would simplify and avoid the need to add the --noflush flag and the counter/exit code issue altogether. > You already noted the `--noflush` comment. For the counter, some kind of detection is still needed to avoid @the-maldridge's earlier issue about wrong usage (no rules at all) leaves the service "up": ``` # cat /etc/iptables/iptables.rules /etc/iptables.d/*.rules | iptables-restore -n ; echo $? cat: /etc/iptables/iptables.rules: No such file or directory cat: '/etc/iptables.d/*.rules': No such file or directory 0``` In the previous iteration this was handled by the single file check but you can't rely on that now since I'm trying to support rules in either or both locations. Similarly, switching to bash and pipefail doesn't work because cat will exit 1 if *any* input file doesn't exist, which will be the case for installs that only use iptables.rules (all classic installs). The only way to get the behavior I want is to set errexit and nullglob in bash, and then call the pipeline with timeout in order to catch a null-read in the case where no rules files exist. I consider that a heavier and harder to read change than an accumulator, though I will admit that `count` is a semantically poor name so I've staged a change updating it to `seen`. Let me know about how you feel on rule vs. ruleset, and if you have a better approach to glob-based file detection in dash. The best I can come up with is a loop and (if necessary) accumulator but there might be something I'm missing.