On Wed, 23 Sep 2015, Sven Hartge wrote: > On 23.09.2015 13:20, Moritz Muehlenhoff wrote: > > On Wed, Sep 23, 2015 at 01:22:25PM +0200, Sven Hartge wrote: > >> On 23.09.2015 12:49, Moritz Muehlenhoff wrote: > >>> On Wed, Sep 23, 2015 at 12:47:09PM +0200, Sven Hartge wrote: > >>>>> - It doesn't abide options set in /etc/default/ferm > >>>> > >>>> As far as I understand the systemd way-of-things, simple default-files > >>>> which just disable and enable a service are deprecated. One should just > >>>> disable or enable the service directly. > >>> > >>> That's true for ENABLED, but we'd probably still need CACHE, OPTIONS and > >>> FAST. They could be sourced via a "EnvironmentFile" directive. > >> > >> OPTIONS is easy, it can be included verbatim. > >> > >> But FAST is defined as either "yes" or "no" while the resulting option > >> to ferm is "--fast" (or nothing as --fast is the default) or "--slow". I > >> guess this would need some helper script or change the ExecStart and > >> ExecReload lines to use "/bin/bash" to be able to manipulate variables. > >> > >> And CACHE is a whole different thing. > > > > OTOH maybe it's better to drop some historical cruft: > > > > - Is there any reason not to use FAST? It's the default since ferm 2.0 > > and README.Debian warns about using it with Sarge's iptables :-) > > FAST is the default and _the_ selling point of ferm: being able to > atomically replace the active rules. I personally only use --slow in > combination with "--no-exec" and "--lines" if I need to debug some rule set. > > > - On today's hardware the performance gain by CACHE is hardly notable, > > while still carrying technical disadvantages (as mentioned in > > README.Debian). So maybe it's time to drop this at all. > > I just found some old notes of mine, warning myself of CACHE because of > strange side effects like not properly applied new rules when the host > system has an unreliable clock. > > So, removing support for CACHE and FAST and just retaining OPTIONS seems > to be the best way forward. I don't think we should remove support for it. no. Don't remove working features, just because your init system is too limited.
Alex
pgpPCxqEhdfxM.pgp
Description: PGP signature
