Document that replacing previous rules causes a brief block of all new connections

[myllynen]

When using previous: replaced there's a small time window when firewall is being reset and all new connections to the system are rejected. This should be at least documented if it is not feasible to avoid this as applying changes with this approach in production might cause temporary service failures during the operation. Thanks.

[richm]

When using previous: replaced there's a small time window when firewall is being reset and all new connections to the system are rejected. This should be at least documented if it is not feasible to avoid this as applying changes with this approach in production might cause temporary service failures during the operation. Thanks.

@myllynen how about this? https://github.com/linux-system-roles/firewall/pull/141

@vrindle @erig0 Is it feasible to avoid this? How is using previous: replaced different than other firewalld tasks?

[erig0]

@erig0 Is it feasible to avoid this? How is using previous: replaced different than other firewalld tasks?

If the role is doing a --reload, then no.

During firewalld reload existing connections continue to pass traffic (accepted), but while the rules are reloading new connections are denied (rejected). I don't think there is any way to avoid this. You certainly don't want to blindly accept packets during a reload.

[myllynen]

The fix looks good, closing.