[systemd-bugs] [Bug 79600] New: Add a network-pre.target to avoid firewall leaks

[bugzilla-daemon at freedesktop.org]

https://bugs.freedesktop.org/show_bug.cgi?id=79600

          Priority: medium
            Bug ID: 79600
          Assignee: systemd-bugs at lists.freedesktop.org
           Summary: Add a network-pre.target to avoid firewall leaks
        QA Contact: systemd-bugs at lists.freedesktop.org
          Severity: normal
    Classification: Unclassified
                OS: All
          Reporter: rustybird+freedesktop.org at openmailbox.org
          Hardware: All
            Status: NEW
           Version: unspecified
         Component: general
           Product: systemd

It looks like it's impossible to specify (in a cross-distro fashion) that a
service should start up before any network interface configuration *begins*.
(Before=network.target is too late.)

But such an ordering is essential for firewall services that need to avoid
leaks. I propose the following:

1. Ship an empty network-pre.target.

2. Add to systemd-networkd.service and network.target:

[Unit]
Requires=network-pre.target
After=network-pre.target

3. Document #2 as a convention for other network interface configuration
services to follow.

With this in place, a firewall service can finally do:

[Unit]
Before=network-pre.target
[Install]
RequiredBy=network-pre.target

-- 
You are receiving this mail because:
You are the QA Contact for the bug.
You are the assignee for the bug.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-bugs/attachments/20140603/0862d6f4/attachment-0001.html>