This is a long-term RFE rather than something immediate, but I think it'll make Firewalld more broadly applicable to many use cases, and reduce resistance to uptake, so I'd like to see it on the future roadmap. I understand that there's some complexity involved. In short: Firewalld should migrate from being an always-running service to being system-activated when changes are needed and exiting after current work has completed. This has two primary benefits: 1) In static use cases, the firewall never changes, so having a daemon running is a waste of resources. In most cases where dynamic changes *are* required, these changes are infrequent, and so again the always-running daemon is not useful. 2) Code that is started when needed and which _expects_ to go away exercises the startup/shutdown paths constantly and so is inherently more robust. Firewalld *already* uses DBus, so this seems like a natural fit. The service could exit after a certain timeout, so that if a large number of requests are coming in, they could all be handled without restart.
See comments from Lennart Poettering on how to implement dbus activation with systemd here: http://www.mail-archive.com/devel@lists.fedoraproject.org/msg50875.html
This needs some verification work to make sure that a mechanism like this is usable at all times and does not result in other problems like for example message timeouts for requests if the timeout of a request is shorter than the start time of the daemon using dbus activation.
See https://bugs.freedesktop.org/show_bug.cgi?id=11454
The results of the D-Bus activation tests with firewalld are: The mechanisms is working, but firewalld will not suspend as long as a consumer of the D-Bus interface of firewalld is active. To be more pecise: As long as there is a signal receiver for the firewalld D-Bus interface, firewalld will not suspend. This is the case for NetworkManager, firewall-applet and also firewall-config. The will most likely also be the case with configuration using a Cockpit plugin. Result: This feature is of limited use is most environments.
> Result: This feature is of limited use is most environments. What about in the case of a cloud server running NetworkManager in config-and-exit mode (or using systemd-networkd for network config)? You say it's _likely_ that a Cockpit plugin would keep firewalld persistent; could it be carefully written so it doesn't?
As far as I know it is not possible to have a Cockpit plugin that is not keeping a D-Bus server in a persistent state. As soon as there is a signal receiver there is a consumer and the service should not suspend.
I did some more tests and it seems that this is not an issue nowadays anymore. I only notified issues by switching from one dbus implementation to another one. For example by switching from python-dbus to gdbus. I will open a ticket for python-slip for deeper investigation.
Here is the submitted issue for python-slip: https://github.com/nphilipp/python-slip/issues/2
Bump, any chance we can get this priortised?
(In reply to Peter Robinson from comment #9) > Bump, any chance we can get this priortised? There is also a request upstream, but at the moment it's not a priority. https://github.com/firewalld/firewalld/issues/337