This is a long-term RFE rather than something immediate, but I think it'll make Firewalld more broadly applicable to many use cases, and reduce resistance to uptake, so I'd like to see it on the future roadmap. I understand that there's some complexity involved.
Firewalld should migrate from being an always-running service to being system-activated when changes are needed and exiting after current work has completed.
This has two primary benefits:
1) In static use cases, the firewall never changes, so having a daemon running is a waste of resources. In most cases where dynamic changes *are* required, these changes are infrequent, and so again the always-running daemon is not useful.
2) Code that is started when needed and which _expects_ to go away exercises the startup/shutdown paths constantly and so is inherently more robust.
Firewalld *already* uses DBus, so this seems like a natural fit.
The service could exit after a certain timeout, so that if a large number of requests are coming in, they could all be handled without restart.
See comments from Lennart Poettering on how to implement dbus activation with systemd here:
This needs some verification work to make sure that a mechanism like this is usable at all times and does not result in other problems like for example message timeouts for requests if the timeout of a request is shorter than the start time of the daemon using dbus activation.
The results of the D-Bus activation tests with firewalld are:
The mechanisms is working, but firewalld will not suspend as long as a consumer of the D-Bus interface of firewalld is active. To be more pecise: As long as there is a signal receiver for the firewalld D-Bus interface, firewalld will not suspend. This is the case for NetworkManager, firewall-applet and also firewall-config. The will most likely also be the case with configuration using a Cockpit plugin.
Result: This feature is of limited use is most environments.
> Result: This feature is of limited use is most environments.
What about in the case of a cloud server running NetworkManager in config-and-exit mode (or using systemd-networkd for network config)?
You say it's _likely_ that a Cockpit plugin would keep firewalld persistent; could it be carefully written so it doesn't?
As far as I know it is not possible to have a Cockpit plugin that is not keeping a D-Bus server in a persistent state. As soon as there is a signal receiver there is a consumer and the service should not suspend.
I did some more tests and it seems that this is not an issue nowadays anymore. I only notified issues by switching from one dbus implementation to another one. For example by switching from python-dbus to gdbus.
I will open a ticket for python-slip for deeper investigation.
Here is the submitted issue for python-slip: https://github.com/nphilipp/python-slip/issues/2
Bump, any chance we can get this priortised?
(In reply to Peter Robinson from comment #9)
> Bump, any chance we can get this priortised?
There is also a request upstream, but at the moment it's not a priority.