[systemd-devel] [PATCH v2] Add a network-pre.target to avoid firewall leaks
Zbigniew Jędrzejewski-Szmek
zbyszek at in.waw.pl
Sat Jun 7 14:35:25 PDT 2014
Hi,
we *might* want to add a target like this. People often have things
which they want to do before network is configured and it would be a
convenient hook for them. But the reasons should be made
clearer. Currently my iptables.service has Before=basic.target. Why
is doing something like that not enough?
If it is added, the documentation for the target should be added to
systemd.special(7), we don't want to have a separate man page for every
target. Also, Description= is part of the documentation, and it should
be changed to something meaningful.
> + <refsect1>
> + <title>Usage</title>
> +
> + <para>Network interface configuration services must <varname>Require=</varname>,
> + and order themselves <varname>After=</varname>, <varname>network-pre.target</varname>.</para>
> +
> + <para>Firewall services should order themselves <varname>Before=</varname>, and
> + declare a <varname>RequiredBy=</varname> relation to, <varname>network-pre.target</varname>.
> + Once enabled, their failure to start will impede network communication, avoiding
> + dangerous leaks.</para>
"dangerous leaks" is unclear and imprecise.
> + <para>(These usages are compatible with older versions of systemd that do not ship
> + <varname>network-pre.target</varname>, because relations to missing units are
> + dropped.)</para>
This is not true. Require=network-pre.target will prevent a service
from being started if network-pre.target unit is not present.
> +[Unit]
> +Description=Network (Pre)
> +Documentation=man:network-pre.target(8)
> +RefuseManualStart=yes
Why?
Zbyszek
More information about the systemd-devel
mailing list