[systemd-devel] getty at .service.m4 and serial-getty at .service.m4
Ludwig Nussel
ludwig.nussel at suse.de
Mon Nov 15 01:05:21 PST 2010
Lennart Poettering wrote:
> On Thu, 11.11.10 14:06, Andreas Jaeger (aj at novell.com) wrote:
> > On Thursday 11 November 2010 12:50:44 Kay Sievers wrote:
> > > [...]
> > > > Anyway, the point of this was only to have getty start late(ish) in
> > > > the boot process, after most of the other services that are pulled in
> > > > by multi-user.target. Maybe there is a better way to specify this, if
> > > > not everyone has rc.local?
> > >
> > > Yeah, others asked for that too. So far, we don't really have a
> > > concept of 'late' or 'last' in systemd.
> >
> > Yes, we had this in openSUSE as well the $ALL target to have the firewall
> > called at the end so that it could handle services with dynamic ports.
> > For details see https://bugzilla.novell.com/show_bug.cgi?id=652608
>
> Can't say I like this approach to firewalls. Matching against ports is a
> thing of the past. They firewall people should match against processes,
> that's the only remotely sensible thing and then all of this would not
> be necessary.
You lost me here.
> I am really not a big fan of Suse's $ALL extension.
Making SuSEfirewall2 run last via $ALL mostly is a boot speed
optimization. The filtering rules (potentially) need to be adjusted
each time a network interface appears or if an RPC service like
ypbind or nfsd changes ports. SuSEfirewall2 can't do either
operation incrementally (yet). So if it's known beforehand that an
event would cause several SuSEfirewall2 calls it's better to block
all calls and only do one full run at the end. That's the case
during boot and when calling rcnetwork restart.
cu
Ludwig
--
(o_ Ludwig Nussel
//\
V_/_ http://www.suse.de/
SUSE LINUX Products GmbH, GF: Markus Rex, HRB 16746 (AG Nuernberg)
More information about the systemd-devel
mailing list