On 11/13/2012 03:46 PM, Matthew Miller wrote:
On Tue, Nov 13, 2012 at 02:28:17PM +0100, Tomasz Torcz wrote:
Here, I mostly don't see the reason for it to be running all the time.
Couldn't it be dbus activated, and then go away when it's not needed? Then,
it would matter less what it was written in.
It would loose internal state if it would be D-BUS activated.
Surely it could persist it somewhere?
Like in the actual netfilter rules?
Yes.
It has to be able to save internal state *somehow*, because if restarting
the service breaks everything, we're not gaining much over the old way, are
we? Plus, for a critical service like this, the service needs to be designed
to be as robust as possible in situations where it might crash or get killed
arbitrarily.
With the old static firewall model every firewall change was a complete
firewall recreate with conntrack loss. With firewalld changes to the
firewall are done dynamically and conntrack is preserved.
If you want to recreate rules, use reload. If you restart the service
with systemd, the servce gets stopped and started again, so you will
loose internal state. This is how services are working.
And for things like the ten-second-temporary rule, it could hang around for
a while.
It is using glib timeouts for this, it is not hanging around and blocking.
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel