[systemd-devel] [PATCH] Add a network-pre.target to avoid firewall leaks
Lennart Poettering
lennart at poettering.net
Wed Jun 11 03:24:17 PDT 2014
On Tue, 10.06.14 22:16, Michael Biebl (mbiebl at gmail.com) wrote:
>
> 2014-06-10 19:44 GMT+02:00 Lennart Poettering <lennart at poettering.net>:
> > I figure we don't really need network-pre.target, as units that want to
> > run before the network is up should just use:
> >
> > Before=systemd-networkd.service basic.target
> >
> > THis is enough since network management services like
> > NM are normal services, and networkd is the exception in being available
> > from earliest boot on, including in the initrd. This means, that any
> > firewall service that wants to cover this must be a early-boot service
> > (i.e. DefaultDependencies=no), and thus ordering itself before networkd
> > and basic.target should suffice...
> >
> > If one day there's another network management solution that is capable
> > of running this early during boot, then we can revisit this, but
> > otherwise, the ordering mentioned above should be above, and generic
> > enough since it requires no explicit mentioning of units we wouldn't
> > ship with systemd anyway.
>
> Debian's ifupdown does run during early boot, i.e. in sysinit.target.
Hmm.. OK. OK.
I added this now, with a different patch, and made it a passive unit as
discussed. I have also changed systemd-networkd to make use of it
properly. Somebody should update the other network management services
too like this i figure...
I have also updated
http://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/
to describe the entire new behaviour we have now in place. It would be
great if somebody could proof-read that (and fix typos immediately,
though I mostly interested in technical feedback).
Hope this settles this topic!
Lennart
--
Lennart Poettering, Red Hat
More information about the systemd-devel
mailing list