On Thu, Sep 14, 2017 at 9:00 AM, Lennart Poettering <mzerqung@xxxxxxxxxxx> wrote: > On Do, 14.09.17 07:25, Nico Kadel-Garcia (nkadel@xxxxxxxxx) wrote: > >> And... "let's replace something that is stable, long supported, and >> works across multiple platforms with an untested new systemd feature >> for which stable software will have to be rewritten and thus a fork >> maintained for Linux" has been a longstanding problem. There have been >> too many half-thought-out sytemd "enhancements" that break working >> software and use models. > > Thank you for the friendly words. > > Note that systemd's new IPAddressAllow=/IPAddressDeny= settings apply > to all sockets a service creates automatically — without any > modification of the daemon code itself, thanks to the powers of > ebpf/cgroups. > > Lennart There are other useful features of your work, Lennart, and of systemd in general. The constant scope creep is not one of them. The new featureset you mention is not old enough to be tested robustly for system critical use. Moreover, cgroups, much like systemd, requires a Linux kernel. tcp_wrappers does not. As I tried to point out, when using systemd as a solution to replace stable network features, that means new code for stable tools to work specifically without tcp_wrappers. The ability to add a new feature to an exciting tool should not be the only goal of writing a new tool. Ideally, it should actually solve a problem that we have, not just be an exciting way to do it with your own personal favorite toolkit. If there were a significant benefit to doing it in systemd, that could be worth considering. I see none here. Worse, there are too many of these expansions of sytemd's feature set that break working systems with basic architectural choices. The /etc/resolv.conf symlink which violated RFC1619, was one example. The "disconnect user processes on logout with a compiled in, non-manageable setting and leave no record of it in the logs" was another. I'm glad there has been so much improvement of that feature: I understand that now it logs, and can be enabled or disabled. But the lack of a whitelist or blacklist was the sort of thing that made it safer, and preferable, to apply a cron job with some minum duration before terminating such processes. It wasn't *necessary*. As I said, there are things I like and find useful about sytemd. The incessant scope creep remains problematic. I'd hate to see that scope creep break tools that work well with an extremely stable toolkit. _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx