On Fri, Dec 30, 2016 at 11:22:24AM -0500, Stephen Frost wrote:
> Package: ferm
> Version: 2.2-3
>
> Greetings,
>
> The ferm system allows the inclusion of other files, including those
> which might be outside of the /etc/ferm directory. When those files
> change and the user issues a 'reload', the ferm cache should be updated.
> This is not currently happening because the ferm cache system assumes
> that there is only a configuration change if a file in /etc/ferm has
> been changed, which is incomplete and incorrect.
>
> When a user issues a 'reload', the ferm system should regenerate the
> cache regardless of if it believes there are changes or not- the user
> asked for a reload and checking if files in /etc/ferm have changed is
> insufficient.
>
> A possible alternative might be to generate the output from ferm and
> compare it with the cache, but even in that case it's possible the user
> is issuing a reload because the *kernel* rules were changed and they
> wish for the ferm reload to correct the running kernel.
>
> In the end, if the user is asking for a reload, ferm should really just
> *do* it, anything else really isn't correct.
Another problem is that DNS names resolved via the resolve() function
are kept in the cache, so if an IP address changes, your ferm rules
are broken.
We should at least disable the cache by default (the performance benefit
is hardly measurable on today's hardware anyway).
Cheers,
Moritz
