defining firewalld services

Thomas Woerner twoerner at redhat.com
Mon Jul 7 17:03:13 UTC 2014 

On 07/07/2014 02:55 PM, Stephen Gallagher wrote:
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
>
> On 07/04/2014 07:36 AM, Thomas Woerner wrote:
>> On 07/03/2014 09:32 PM, Stef Walter wrote:
>>> On 03.07.2014 15:39, Rex Dieter wrote:
>>>> I'm looking into providing a predefined firewalld service
>>>> definition for kde-connect, per
>>>> https://bugzilla.redhat.com/show_bug.cgi?id=1115547
>>>>
>>>> Looks like it's as easy as dropping an xml snippet into
>>>> /usr/lib/firewalld/services/
>>>>
>>>> I'm also noticing currently that the only package besides
>>>> fallwalld itself doing this is cockpit, which includes a %post
>>>> scriptlet:
>>>>
>>>> # firewalld only partially picks up changes to its services
>>>> files # without this test -f %{_bindir}/firewall-cmd &&
>>>> firewall-cmd --reload --quiet || true
>>>>
>>>>
>>>> Is this the recommended approach?  If so, I'll follow this
>>>> lead, and maybe start work on drafting some packaging
>>>> guidelines.
>>>
>>> Thomas Woerner would be the one to work out those guidelines.
>>>
>> Yes.
>>
>>> But to explain ... apparently there are two firewalld
>>> "environments". When you install a service file it only affects
>>> the installed environment (used after a reboot) and not the
>>> current "runtime environment".
>>>
>>> This means that a user can't immediately use your service
>>> definition in a command like:
>>>
>>> $ firewall-cmd --add-service=cockpit
>>>
>>> The command:
>>>
>>> $ firewall-cmd --reload
>>>
>>> ... makes newly installed service files available in the runtime
>>> environment. I guess this is sorta analogous to 'systemctl
>>> daemon-reload'.
>>>
>> Newly added services and zones are available in the permanent
>> environment of firewalld, where they can be used with the UI and
>> command line tools.
>>
>> To have a newly added service or zone in the runtime environment it
>> is needed to reload firewalld: firewall-cmd --reload or systemctl
>> reload firewalld.service.
>>
>
>
> Thomas, the real question here is this: If a package wants to install
> (and maintain) its own set of firewalld service definitions, is the
> approach Stef took the best one? If so, we should submit a Packaging
> Guidelines edit to the FPC and get this codified where others can find it.
>
Yes, this is the best approach right now.

I can write some documentatoin for this. What is the proper way to get 
it in the Packaging guidelines?

> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1
> Comment: Using GnuPG with Thunderbird - http://www.enigmail.net/
>
> iEYEARECAAYFAlO6mLwACgkQeiVVYja6o6MnWgCfT9Nle/gfxrmsBu13mIS03f4J
> n+sAn2oMz8nlbBukQ1Y+/R9VkrKV9JO7
> =9yrD
> -----END PGP SIGNATURE-----
>

More information about the devel mailing list