Closed adrelanos closed 8 years ago
Should we really remove the CORRIDOR_FILTER
chain on shutdown? Doing so seems harmless (corridor-stop-forwarding
sets net.ipv4.ip_forward=0
first), still looks a little weird though.
Oh I think I remember what you're referring to. My understanding is that DefaultDependencies=no
does not mean you should necessarily use these directives, however, if you want such a service to be stopped on shutdown, then you should use both Before
and Conflicts
(not just one of the two).
netfilter-persistent solves this by not unloading iptables rules by making a difference between:
(Should not be an issue anyhow since networking would be systemd stopped before the firewall.)
It's rather minor. What does systemd do if services are still running after shutdown.target was reached? Does it force stop them? Does that slow down shutdown (waiting for timeouts) or otherwise have adverse effects?
Using Before=shutdown.target Conflicts=shutdown.target seems more correct, since it avoids the above.
What does systemd do if services are still running after shutdown.target was reached? Does it force stop them?
It sounds like the services remain active. Not sure if leftover child processes get killed, but that's not an issue with oneshot services.
Closing this, but please reopen if you find that not having {Conflicts,Before}=shutdown.target
causes slowdowns or other problems.
When using
DefaultDependencies=No
, alsoshould be used. (I learned that from you, @rustybird, I think.)
https://github.com/rustybird/corridor/blob/master/systemd/corridor-init-forwarding.service.in