[systemd-devel] [PATCH] Add a network-pre.target to avoid firewall leaks
Lennart Poettering
lennart at poettering.net
Tue Jun 10 10:44:40 PDT 2014
On Tue, 10.06.14 18:53, Lennart Poettering (lennart at poettering.net) wrote:
> On Fri, 06.06.14 12:53, Rusty Bird (rustybird at openmailbox.org) wrote:
>
> Humm. I can't say I particularly like the idea, but I can't dissmiss
> this either, I figure we have to do something like this.
>
> However, if we do this, then this needs to be a "passive" target, see
> systemd.special(7), under "Special passive system units", and it should
> be documented in that section. "Passive" means it is pulled it by the
> units that implement a pre job, not by the units that implement the
> networking stack. This way it doesn't get added to the initial
> transaction unless there's actually some service that needs to be pulled
> in. See the man page for further discussion on this.
Hmm, after talking to Kay about this:
I figure we don't really need network-pre.target, as units that want to
run before the network is up should just use:
Before=systemd-networkd.service basic.target
THis is enough since network management services like
NM are normal services, and networkd is the exception in being available
from earliest boot on, including in the initrd. This means, that any
firewall service that wants to cover this must be a early-boot service
(i.e. DefaultDependencies=no), and thus ordering itself before networkd
and basic.target should suffice...
If one day there's another network management solution that is capable
of running this early during boot, then we can revisit this, but
otherwise, the ordering mentioned above should be above, and generic
enough since it requires no explicit mentioning of units we wouldn't
ship with systemd anyway.
Hope that makes sense,
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list