defining firewalld services
Thomas Woerner
twoerner at redhat.com
Fri Jul 4 11:36:00 UTC 2014
On 07/03/2014 09:32 PM, Stef Walter wrote:
> On 03.07.2014 15:39, Rex Dieter wrote:
>> I'm looking into providing a predefined firewalld service definition for
>> kde-connect, per
>> https://bugzilla.redhat.com/show_bug.cgi?id=1115547
>>
>> Looks like it's as easy as dropping an xml snippet into
>> /usr/lib/firewalld/services/
>>
>> I'm also noticing currently that the only package besides fallwalld itself
>> doing this is cockpit, which includes a %post scriptlet:
>>
>> # firewalld only partially picks up changes to its services files
>> # without this
>> test -f %{_bindir}/firewall-cmd && firewall-cmd --reload --quiet || true
>>
>>
>> Is this the recommended approach? If so, I'll follow this lead, and maybe
>> start work on drafting some packaging guidelines.
>
> Thomas Woerner would be the one to work out those guidelines.
>
Yes.
> But to explain ... apparently there are two firewalld "environments".
> When you install a service file it only affects the installed
> environment (used after a reboot) and not the current "runtime environment".
>
> This means that a user can't immediately use your service definition in
> a command like:
>
> $ firewall-cmd --add-service=cockpit
>
> The command:
>
> $ firewall-cmd --reload
>
> ... makes newly installed service files available in the runtime
> environment. I guess this is sorta analogous to 'systemctl daemon-reload'.
>
Newly added services and zones are available in the permanent
environment of firewalld, where they can be used with the UI and command
line tools.
To have a newly added service or zone in the runtime environment it is
needed to reload firewalld: firewall-cmd --reload or systemctl reload
firewalld.service.
> Stef
>
Thomas
More information about the devel
mailing list