On 11/13/2012 06:16 PM, Dennis Jacobfeuerborn wrote:
On 11/13/2012 05:28 PM, Thomas Woerner wrote:
On 11/13/2012 03:46 PM, Matthew Miller wrote:
On Tue, Nov 13, 2012 at 02:28:17PM +0100, Tomasz Torcz wrote:
Here, I mostly don't see the reason for it to be running all the time.
Couldn't it be dbus activated, and then go away when it's not needed?
Then,
it would matter less what it was written in.
It would loose internal state if it would be D-BUS activated.
Surely it could persist it somewhere?
Like in the actual netfilter rules?
Yes.
It has to be able to save internal state *somehow*, because if restarting
the service breaks everything, we're not gaining much over the old way, are
we? Plus, for a critical service like this, the service needs to be designed
to be as robust as possible in situations where it might crash or get killed
arbitrarily.
With the old static firewall model every firewall change was a complete
firewall recreate with conntrack loss. With firewalld changes to the
firewall are done dynamically and conntrack is preserved.
That's not correct. You can modify the firewall just fine without
restarting it.
This is related to system-config-firewall/lokkit. You are right, if you
are using iptables directly then you do not have this limitation.
firewalld is a replacement for s-c-fw/lokkit.
Regards,
Dennis
--
devel mailing list
devel@xxxxxxxxxxxxxxxxxxxxxxx
https://admin.fedoraproject.org/mailman/listinfo/devel
