-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Sun, Feb 18, 2018 at 01:10:44PM -0500, Chris Laprise wrote: > I'm thinking about posting a PR to have qubes-firewall raise errors whenever > a firewall script from qubes-firewall-user-script or qubes-firewall.d > returns an error code. > > The object is to provide a way to make the qubes-firewall service fail when > firewall scripts encounter an error. On failure, the result would be that > forwarding (or networking) is disabled and any units bound to qubes-firewall > would not run. > > Default behavior would be little different than it is now, given that shell > scripts are fault-tolerant. But script authors will have the option of using > "set -e" or "exit 1" etc. so the service goes into a failed state.
Problems like crashed qubes-firewall are very annoying and it isn't easy to find where such service have crashed. Also, script exiting with non-zero code can happen for various reasons, including misusing "[ condition ] && action" syntax. I've seen far to many errors like that. But if the script author know what he/she is doing, having option to fail closed is a good idea. What about choosing en exit code that would cause the effect you propose? And let that not be 1. This could allow both: fail closed for conscious user, and harder to break the setup by stupid error. The idea is inspired by Restart*ExitStatus= settings of systemd.service and git bisect run. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab A: Because it messes up the order in which people normally read text. Q: Why is top-posting such a bad thing? -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAlqKDIMACgkQ24/THMrX 1yxJKwf9FKb4Cl9aB1uW14PH1+O2G/6vfs0cDjLfcaxt6Rx6j58sotKflwhvL6l/ XcQx/jorAqp+3NyH4+4Y4JK6cEVgind+EAP5PQ16PFKuLkV5UwrGvR6HBXAKzcf5 i+tIXumYYPJ+rUXbkXccCRIddHcjLnViiWjOHwU9nPg3UTDi0/5om2wOTJPw3ciA 8vCG78iJBnAWPFM8nx47pJMClbQUiyvm/FRq9lnWdasDuf3Edb10QaYHWf+1x9Sq ptgjryQduGmvZpgxWA/O6m7b4AvawrIuH3gWAk6ssBzT3+LSgfCQHG48QMJnaOie urmNZhh8cXmiHa/hfty2d9ZsnEIDkw== =RXyO -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To post to this group, send email to [email protected]. To view this discussion on the web visit https://groups.google.com/d/msgid/qubes-devel/20180218233019.GT2084%40mail-itl. For more options, visit https://groups.google.com/d/optout.
