Red Hat Bugzilla – Bug 1317240
RFE: add firewall.target
Last modified: 2018-03-14 17:10:16 EDT
Description of problem:
In order to solve various issues with restarting the firewall and dependent services such as fail2ban with correct ordering, and also to allow for different firewall implementations (firewalld, iptables, shorewall...), it was proposed on the systemd-devel list to have a firewall.target file with contents:
Could this target be added? I deally we'd add it to F24 and F25, but I realize F24 might be too far along.
If fixed, firewall.target will not be required.
(In reply to Marcos Mello from comment #1)
> If fixed, firewall.target will not be required.
Well, if that issue is "fixed", I think firewall.target still has utility as an integration point for firewall and related services.
But, I also think that issue is unlikely to be "fixed", as it seems, to me, that Conflicts and PartOf are be behaving as designed in that example. But I am not a systemd developer, so what do I know :)
Can you explain what problem you are trying to solve and why network-pre.target is not sufficient?
The problem we're trying to solve is detailed in BZ #1266512, which blocks this bug. Further discussion is in the link given in Comment #1.
In summary: we need fail2ban to be restarted if the firewall service is restarted for some reason - fail2ban works by asking the firewall manager to insert iptables rules to block hosts. If the firewall managing service is restarted, the rules that were added for fail2ban are lost.
The desire to restart fail2ban when the firewall is restarted would be simple if there was only a single firewall manager. But, life is complicated by the fact that the firewall service could be provided by firewalld, or the iptables service, or shorewall, or some other firewall managing service.
network-pre.target is irrelevant to this purpose.
Note also this followup message:
Something similar was discussed here: https://bugs.freedesktop.org/show_bug.cgi?id=80169
Seems like we got close to a firewall.target before it got dropped.
Still an issue with fail2ban, see bug #1379141