Hey experts. Perhaps you could help me with the following. What I'd basically like to have is a way to stop/restart (but not start) other units along with the "current" unit.
Example: Consider services like fail2ban, which e.g. somehow hook up into iptables-rules. The default of fail2ban does that very simple, i.e. it simply appends/removes it's own rule to INPUT and expects that this will work out as expected. Of course it doesn't necessarily do so, depending on how complex one's other rules are laid out (respectively which paradigms they follow). A solution to that is, that one adds a dummy hook rule to the iptables rules file (as e.g. loaded by netfilter-persistent) like this: -A INPUT --in-interface lo -m comment --comment "f2b-hook-sshd" When one has a: -A INPUT --in-interface lo -j ACCEPT rule in the very beginning, the former rule doesn't even change the counters or cost further performance. Now one just needs to modify fail2ban's action config, to look for and replace exactly that hook rule at start, and replace it back at stop. Whether one has such special hook or whether one uses the default way one problem remains: If one restarts/reloads/stops/starts netfilter-persistent (and thus loads the rules) while fail2ban already runs... things get mangled up more or less badly (more badly when using the hook rule way). So what I'm basically looking for, would be a way to configure, that e.g. everytime netfilter-persistent is stopped, fail2ban is either and when it's restarted fail2ban is either (obviously in the correct order, like stop fail2ban, stop netfilter-persistent, start netfilter-persistent, start fail2ban). It should however NOT happen, when netfilter-persistent is started - just at stop/restart. Is that possible? Moreover, is it possible in a generic way by which I mean ideally both of the two: - one can code that into e.g. the netfilter-persistent unit file, and things still work, even if fail2ban is not installed (so that this could be distributed as default in debian) - make it generic for n other tools like fail2ban and m other packages providing firewall-rules-loading functionality (shorewall, etc.) i.e. it would be great if one could e.g. say "bind fail2ban to <firewall-loading-tool>" instead of "bind fail2ban to netfilter-persistent",... so when someone uses another package for that (e.g. shorewall, and if that announces itself as "I'm also a firewall-loading-tool" it would somehow automagically work for that as well I know that network-pre.target exists, but that's IMHO so badly designed and defined that it probably cannot serve this purpose. :-( Thanks, Chris.
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________ Pkg-systemd-maintainers mailing list [email protected] http://lists.alioth.debian.org/cgi-bin/mailman/listinfo/pkg-systemd-maintainers
