Re: [PATCH] add systemd service file

netfilter-devel.vger.kernel.org archive mirror
 help / color / mirror / Atom feed

From: "Jörg Thalheim" <joerg@higgsboson.tk>
To: "Arturo Borrero Gonzalez" <arturo.borrero.glez@gmail.com>
Cc: "Netfilter Development Mailing list" <netfilter-devel@vger.kernel.org>
Subject: Re: [PATCH] add systemd service file
Date: Wed, 17 Dec 2014 20:57:02 +0000	[thread overview]
Message-ID: <b3a6e72b6713574b986ab81624dddeda@mail.higgsboson.tk> (raw)
In-Reply-To: <CAOkSjBg_O4GRuFkm7hNoZDv_JqCjOVRcP7VNV=K1NYqHdSuJmA@mail.gmail.com>

17. Dezember 2014 21:37 Uhr, "Arturo Borrero Gonzalez" <arturo.borrero.glez@gmail.com> schrieb: 
> On 17 December 2014 at 20:54, Jörg Thalheim <joerg@higgsboson.tk> wrote:
> 
>> Signed-off-by: Jörg Thalheim <joerg@higgsboson.tk>
>> ---
>> .gitignore                |   2 +
>> configure.ac              |  35 +++++++++++++
>> files/Makefile.am         |   7 +++
>> files/nftables.service.in |  12 +++++
>> files/nftablesctl.in      | 129 ++++++++++++++++++++++++++++++++++++++++++++++
>> 5 files changed, 185 insertions(+)
>> create mode 100644 files/nftables.service.in
>> create mode 100755 files/nftablesctl.in
> 
> Thanks for your work :-)
> 
> IMHO, this belongs to distributors, don't you?

this was in the old sysvinit world. Thesedays it is common for upstream projects to come along with service files, as 
they are more portable then shell scripts.

> 
> Anyway, some inlined comments.
> 
>> +nftables_start() {
>> +       find /etc/nftables -maxdepth 1 -type f -name '*.rules' -print0 | \
>> +               sort -z | xargs --null --no-run-if-empty --max-args=1 @sbindir@nft -f
>> +
> 
> You are making lot of assumptions, for example the '.rules' suffix.
> 
>> +       if [ -t 0 ] && [ "$1" = "--confirm" ]
>> +       then
>> +               echo "Please confirm that your network connection is working and press Ctrl+C on
>> success"
>> +               trap ctrl_c INT
>> +
>> +               sleep 20
>> +
>> +               echo "No response, flushing rules"
>> +               nftables_stop
>> +       fi
>> +}
>> +
>> +nftables_list() {
> 
> Now (see latest v0.4 release) this is simply `nft list ruleset'.
> 
>> +       for P in ip inet ip6 arp bridge
>> +       do
>> +               nft_list_protocol "$P"
>> +       done
>> +}
>> +
>> +nftables_stop() {
> 
> Now this is simply `nft flush ruleset'.

Ok. I did not have a look at latest release, when the script was written a year before, this was not possible.

> 
>> +       for P in ip inet ip6 arp bridge
>> +       do
>> +               nft_clear_protocol "$P"
>> +       done
>> +}
>> +
>> +nftables_restart() {
>> +       nftables_stop
>> +       nftables_start "$1"
> 
> Here, I think the time between the stop and start, there is not
> ruleset in the kernel.
> I guess we can do it better, flushing the old ruleset and loading the
> new one in a single,atomic step.

Is this possible with nft? If so, how?

> 
> -- 
> Arturo Borrero González
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

next prev parent reply	other threads:[~2014-12-17 20:57 UTC|newest]

Thread overview: 23+ messages / expand[flat|nested]  mbox.gz  Atom feed  top
2014-12-17 19:54 [PATCH] add systemd service file Jörg Thalheim
2014-12-17 20:37 ` Arturo Borrero Gonzalez
2014-12-17 20:40 ` Jörg Thalheim
2014-12-17 20:55   ` Jan Engelhardt
2014-12-17 21:02   ` Jörg Thalheim
2014-12-17 20:50 ` Arturo Borrero Gonzalez
2014-12-17 20:55 ` Jan Engelhardt
2014-12-17 20:57 ` Jörg Thalheim [this message]
2014-12-17 21:10   ` Arturo Borrero Gonzalez
2014-12-17 21:36   ` Jörg Thalheim
2014-12-18  7:50   ` Jörg Thalheim
2014-12-17 21:12 ` Jörg Thalheim
  -- strict thread matches above, loose matches on Subject: below --
2014-12-18 12:47 Jörg Thalheim
2014-12-18 12:56 ` Jan Engelhardt
2014-12-18 13:02 ` Jörg Thalheim
2014-12-18 13:14   ` Jan Engelhardt
     [not found] <20141218133524.4d6e2539@turingmachine>
2014-12-18 12:47 ` Jörg Thalheim
2014-12-18 12:51   ` Pablo Neira Ayuso
2014-12-18 20:10 Jörg Thalheim
2014-12-18 20:12 ` Jörg Thalheim
2014-12-19 13:02 Jörg Thalheim
2014-12-19 13:08 ` Jörg Thalheim
2014-12-23 14:20 ` Pablo Neira Ayuso

Reply instructions:

You may reply publicly to this message via plain-text email
using any one of the following methods:

* Save the following mbox file, import it into your mail client,
  and reply-to-all from there: mbox

  Avoid top-posting and favor interleaved quoting:
  https://en.wikipedia.org/wiki/Posting_style#Interleaved_style

* Reply using the --to, --cc, and --in-reply-to
  switches of git-send-email(1):

  git send-email \
    --in-reply-to=b3a6e72b6713574b986ab81624dddeda@mail.higgsboson.tk \
    --to=joerg@higgsboson.tk \
    --cc=arturo.borrero.glez@gmail.com \
    --cc=netfilter-devel@vger.kernel.org \
    /path/to/YOUR_REPLY

  https://kernel.org/pub/software/scm/git/docs/git-send-email.html

* If your mail client supports setting the In-Reply-To header
  via mailto: links, try the mailto: link

Be sure your reply has a Subject: header at the top and a blank line before the message body.

This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).