On 11/13/2012 05:36 PM, Matthew Miller wrote:
On Tue, Nov 13, 2012 at 05:28:42PM +0100, Thomas Woerner wrote:
If you want to recreate rules, use reload. If you restart the
service with systemd, the servce gets stopped and started again, so
you will loose internal state. This is how services are working.
I understand that some services work that way. However, I don't think that
this is the best design for a firewall service. Is there some way to force
the internal state to be recorded?
Let's say there is a security fix for the firewall service which needs to be
applied. The daemon will need to be reloaded. Is this now not possible?
Some services work that way? Only some? If you have a security fix, you
have to restart every service to get the new code.
Firewalld is not able to save the state for a later start.
And for things like the ten-second-temporary rule, it could hang around for
a while.
It is using glib timeouts for this, it is not hanging around and blocking.
Sorry, this comment lost context: I didn't mean that the timeout
implementation was poor. I meant that if the service were dbus activated, it
could stay running if it continued to have things to do, and exit (maybe
after a brief wait) if not.
The security team asked me not to make firewalld a D-BUS driven
mechanism, because of security concerns and also because of SELinux.
Additionally every load of the mechanism could have to load modified or
removed configuration files. So how should it get to the same state then
again? How should it react on and reflect configuration changes? So it
would have to write out everything - the state and all configuration
files. I am sorry, but this is overkill and a most likely a source of
big problems.
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
