[systemd-devel] [PATCH v2] Add a network-pre.target to avoid firewall leaks
Rusty Bird
rustybird at openmailbox.org
Sat Jun 7 03:27:52 PDT 2014
https://bugs.freedesktop.org/show_bug.cgi?id=79600
---
Makefile.am | 1 +
man/network-pre.target.xml | 82 +++++++++++++++++++++++++++++++++++++++
units/network-pre.target | 11 ++++++
units/network.target | 8 ++++
units/systemd-networkd.service.in | 3 +-
5 files changed, 104 insertions(+), 1 deletion(-)
create mode 100644 man/network-pre.target.xml
create mode 100644 units/network-pre.target
diff --git a/Makefile.am b/Makefile.am
index a2a01d0..79adc34 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -413,6 +413,7 @@ dist_systemunit_DATA = \
units/remote-fs.target \
units/remote-fs-pre.target \
units/network.target \
+ units/network-pre.target \
units/network-online.target \
units/nss-lookup.target \
units/nss-user-lookup.target \
diff --git a/man/network-pre.target.xml b/man/network-pre.target.xml
new file mode 100644
index 0000000..db52b33
--- /dev/null
+++ b/man/network-pre.target.xml
@@ -0,0 +1,82 @@
+<?xml version='1.0'?> <!--*-nxml-*-->
+<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN"
+ "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd">
+
+<!--
+ This file is part of systemd.
+
+ Copyright 2014 Tom Gundersen
+
+ systemd is free software; you can redistribute it and/or modify it
+ under the terms of the GNU Lesser General Public License as published by
+ the Free Software Foundation; either version 2.1 of the License, or
+ (at your option) any later version.
+
+ systemd is distributed in the hope that it will be useful, but
+ WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU
+ Lesser General Public License for more details.
+
+ You should have received a copy of the GNU Lesser General Public License
+ along with systemd; If not, see <http://www.gnu.org/licenses/>.
+-->
+
+<refentry id="network-pre.target">
+
+ <refentryinfo>
+ <title>network-pre.target</title>
+ <productname>systemd</productname>
+
+ <authorgroup>
+ <author>
+ <contrib>Developer</contrib>
+ <firstname>Rusty</firstname>
+ <surname>Bird</surname>
+ <email>rustybird at openmailbox.org</email>
+ </author>
+ </authorgroup>
+ </refentryinfo>
+
+ <refmeta>
+ <refentrytitle>network-pre.target</refentrytitle>
+ <manvolnum>8</manvolnum>
+ </refmeta>
+
+ <refnamediv>
+ <refname>network-pre.target</refname>
+ <refpurpose>Network interface configuration has not yet begun</refpurpose>
+ </refnamediv>
+
+ <refsect1>
+ <title>Description</title>
+
+ <para><varname>network-pre.target</varname> is a systemd target intended to be
+ activated before any network interface configuration begins.</para>
+ </refsect1>
+
+ <refsect1>
+ <title>Usage</title>
+
+ <para>Network interface configuration services must <varname>Require=</varname>,
+ and order themselves <varname>After=</varname>, <varname>network-pre.target</varname>.</para>
+
+ <para>Firewall services should order themselves <varname>Before=</varname>, and
+ declare a <varname>RequiredBy=</varname> relation to, <varname>network-pre.target</varname>.
+ Once enabled, their failure to start will impede network communication, avoiding
+ dangerous leaks.</para>
+
+ <para>(These usages are compatible with older versions of systemd that do not ship
+ <varname>network-pre.target</varname>, because relations to missing units are
+ dropped.)</para>
+ </refsect1>
+
+ <refsect1>
+ <title>See Also</title>
+ <para>
+ <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>,
+ <citerefentry><refentrytitle>systemd.target</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry>
+ </para>
+ </refsect1>
+
+</refentry>
diff --git a/units/network-pre.target b/units/network-pre.target
new file mode 100644
index 0000000..0d4d363
--- /dev/null
+++ b/units/network-pre.target
@@ -0,0 +1,11 @@
+# This file is part of systemd.
+#
+# systemd is free software; you can redistribute it and/or modify it
+# under the terms of the GNU Lesser General Public License as published by
+# the Free Software Foundation; either version 2.1 of the License, or
+# (at your option) any later version.
+
+[Unit]
+Description=Network (Pre)
+Documentation=man:network-pre.target(8)
+RefuseManualStart=yes
diff --git a/units/network.target b/units/network.target
index 65fc64b..b80a8cc 100644
--- a/units/network.target
+++ b/units/network.target
@@ -9,3 +9,11 @@
Description=Network
Documentation=man:systemd.special(7)
Documentation=http://www.freedesktop.org/wiki/Software/systemd/NetworkTarget
+
+# There are probably a lot of old, home grown network interface configuration
+# services out there that do not behave according to network-pre.target(8).
+# In those setups, systemd may be unable to impede the network if a firewall
+# service fails. So then at least block a subset of network consumers (those
+# with Requires=network.target) and reduce the quantity of leaks.
+Requires=network-pre.target
+After=network-pre.target
diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index 373ac4e..8e4d213 100644
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -9,8 +9,9 @@
Description=Network Service
Documentation=man:systemd-networkd.service(8)
DefaultDependencies=no
-After=dbus.service
+After=dbus.service network-pre.target
Before=network.target
+Requires=network-pre.target
Wants=network.target
ConditionCapability=CAP_NET_ADMIN
--
2.0.0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20140607/0d7e1746/attachment-0001.sig>
More information about the systemd-devel
mailing list