summaryrefslogtreecommitdiff
path: root/data/templates/firewall/nftables-policy.j2
diff options
context:
space:
mode:
authorzsdc <taras@vyos.io>2023-10-04 01:57:33 +0300
committerzsdc <taras@vyos.io>2023-10-12 20:16:38 +0300
commite364e9813b6833f6b108e7177ef7ea2d9e7bac33 (patch)
treee6a615b9ef3a23ce808751de6f02157bfd81f3d4 /data/templates/firewall/nftables-policy.j2
parente258edd76090f370ff0c0f88382d099d814d85f1 (diff)
downloadvyos-1x-e364e9813b6833f6b108e7177ef7ea2d9e7bac33.tar.gz
vyos-1x-e364e9813b6833f6b108e7177ef7ea2d9e7bac33.zip
pmacct: T5232: Fixed pmacct service control via systemctl
pmacct daemons have one very important specific - they handle control signals in the same loop as packets. And packets waiting is blocking operation. Because of this, when systemctl sends SIGTERM to uacctd, this signal has no effect until uacct receives at least one packet via nflog. In some cases, this leads to a 90-second timeout, sending SIGKILL, and improperly finished tasks. As a result, a working folder is not cleaned properly. This commit contains several changes to fix service issues: - add a new nftables table for pmacct with a single rule to get the ability to send a packet to nflog and unlock uacctd - remove PID file options from the uacctd and a systemd service file. Systemd can detect proper PID, and PIDfile is created by uacctd too late, which leads to extra errors in systemd logs - KillMode changed to mixed. Without this, SIGTERM is sent to all plugins and the core process exits with status 1 because it loses connection to plugins too early. As a result, we have errors in logs, and the systemd service is in a failed state. - added logging to uacctd - systemctl service modified to send packets to specific address during a service stop which unlocks uacctd and allows systemctl to finish its work properly
Diffstat (limited to 'data/templates/firewall/nftables-policy.j2')
0 files changed, 0 insertions, 0 deletions