stop/restart units along with others

Christoph Anton Mitterer calestyo at scientia.net
Thu Jun 4 22:13:16 BST 2015


Hey experts.

Perhaps you could help me with the following.
What I'd basically like to have is a way to stop/restart (but not start)
other units along with the "current" unit.


Example:

Consider services like fail2ban, which e.g. somehow hook up into
iptables-rules.

The default of fail2ban does that very simple, i.e. it simply
appends/removes it's own rule to INPUT and expects that this will work
out as expected.
Of course it doesn't necessarily do so, depending on how complex one's
other rules are laid out (respectively which paradigms they follow).
A solution to that is, that one adds a dummy hook rule to the iptables
rules file (as e.g. loaded by netfilter-persistent) like this:
-A INPUT --in-interface lo  -m comment  --comment "f2b-hook-sshd"
When one has a:
-A INPUT --in-interface lo -j ACCEPT
rule in the very beginning, the former rule doesn't even change the
counters or cost further performance.
Now one just needs to modify fail2ban's action config, to look for and
replace exactly that hook rule at start, and replace it back at stop.

Whether one has such special hook or whether one uses the default way
one problem remains:
If one restarts/reloads/stops/starts netfilter-persistent (and thus
loads the rules) while fail2ban already runs... things get mangled up
more or less badly (more badly when using the hook rule way).


So what I'm basically looking for, would be a way to configure, that
e.g. everytime netfilter-persistent is stopped, fail2ban is either and
when it's restarted fail2ban is either (obviously in the correct order,
like stop fail2ban, stop netfilter-persistent, start
netfilter-persistent, start fail2ban).
It should however NOT happen, when netfilter-persistent is started -
just at stop/restart.


Is that possible?

Moreover, is it possible in a generic way by which I mean ideally both
of the two:
- one can code that into e.g. the netfilter-persistent unit file, and
  things still work, even if fail2ban is not installed (so that this
  could be distributed as default in debian)
- make it generic for n other tools like fail2ban and m other packages
  providing firewall-rules-loading functionality (shorewall, etc.)
  i.e. it would be great if one could e.g. say "bind fail2ban to
  <firewall-loading-tool>" instead of "bind fail2ban to
  netfilter-persistent",... so when someone uses another package for
  that (e.g. shorewall, and if that announces itself as "I'm also a
  firewall-loading-tool" it would somehow automagically work for that
  as well
  I know that network-pre.target exists, but that's IMHO so badly
  designed and defined that it probably cannot serve this purpose. :-(


Thanks,
Chris.
-------------- next part --------------
A non-text attachment was scrubbed...
Name: smime.p7s
Type: application/x-pkcs7-signature
Size: 5313 bytes
Desc: not available
URL: <http://lists.alioth.debian.org/pipermail/pkg-systemd-maintainers/attachments/20150604/2f6af5a8/attachment.bin>


More information about the Pkg-systemd-maintainers mailing list