raising warning flag on firewalld-default feature
Thomas Woerner
twoerner at redhat.com
Tue Nov 13 16:28:42 UTC 2012
On 11/13/2012 03:46 PM, Matthew Miller wrote:
> On Tue, Nov 13, 2012 at 02:28:17PM +0100, Tomasz Torcz wrote:
>>>>> Here, I mostly don't see the reason for it to be running all the time.
>>>>> Couldn't it be dbus activated, and then go away when it's not needed? Then,
>>>>> it would matter less what it was written in.
>>>> It would loose internal state if it would be D-BUS activated.
>>> Surely it could persist it somewhere?
>> Like in the actual netfilter rules?
>
> Yes.
>
> It has to be able to save internal state *somehow*, because if restarting
> the service breaks everything, we're not gaining much over the old way, are
> we? Plus, for a critical service like this, the service needs to be designed
> to be as robust as possible in situations where it might crash or get killed
> arbitrarily.
>
With the old static firewall model every firewall change was a complete
firewall recreate with conntrack loss. With firewalld changes to the
firewall are done dynamically and conntrack is preserved.
If you want to recreate rules, use reload. If you restart the service
with systemd, the servce gets stopped and started again, so you will
loose internal state. This is how services are working.
> And for things like the ten-second-temporary rule, it could hang around for
> a while.
>
It is using glib timeouts for this, it is not hanging around and blocking.
More information about the devel
mailing list