modularize default configuration

[Zugschlus]

Hi formorer,

I would like to have the default ferm.conf modularized, so that ferm.conf only contains a include ferm.conf.d, and the default configuration being split up in multiple small files in ferm.conf.d.

I am planning to finally build a replacement for my ippl package (which is upstream-dead for more than ten years) with an iptables framework (working title iptpl) which needs logging rules to be established first in the ferm rule set. This cannot be done with the current configuration scheme since the include statement is last in the default ferm.conf.d.

I have pondered a bit to ask you to include an "early hook", but came to the conclusion that modularizing the entire configuration will give most flexibility to the local admin.

Would you be willing to accept a pull request from me making the change? If so, please say so, and I'll make one.

Greetings
Marc

[Zugschlus]

I gave it a try at https://github.com/Zugschlus/pkg-ferm - please take a look at it, and if you like it, pull from it. I can click you a pull request if you prefer that.

[gnikolaidis]

I agree that the default ferm.conf is too opinionated for a dpkg conffile- @Zugschlus proposal provides a saner alternative.

[Zugschlus]

Sadly, I am no longer interested in working on that. We now have nft and nftables, which bring their very own set of an unfinished definition language. ferm used to be much nicer than nft, but there is no migration path and nft is unlikely to change. From my side, this issue can be closed.

[gnikolaidis]

I am really sad that ferm has been moved aside by nft, which leaves much to be desired in terms of capabilities. I am kind of wishing there were a path for ferm to become an nftables frontend, but this is understandably very difficult. Nevertheless, I remain hopeful that ferm has a future after iptables :-)