[systemd-devel] [PATCH v2] Add a network-pre.target to avoid firewall leaks

Zbigniew Jędrzejewski-Szmek zbyszek at in.waw.pl
Sat Jun 7 14:35:25 PDT 2014


Hi,

we *might* want to add a target like this. People often have things
which they want to do before network is configured and it would be a
convenient hook for them. But the reasons should be made
clearer. Currently my iptables.service has Before=basic.target.  Why
is doing something like that not enough?

If it is added, the documentation for the target should be added to
systemd.special(7), we don't want to have a separate man page for every
target. Also, Description= is part of the documentation, and it should
be changed to something meaningful.

> +        <refsect1>
> +                <title>Usage</title>
> +
> +                <para>Network interface configuration services must <varname>Require=</varname>,
> +                and order themselves <varname>After=</varname>, <varname>network-pre.target</varname>.</para>
> +
> +                <para>Firewall services should order themselves <varname>Before=</varname>, and
> +                declare a <varname>RequiredBy=</varname> relation to, <varname>network-pre.target</varname>.
> +                Once enabled, their failure to start will impede network communication, avoiding
> +                dangerous leaks.</para>
"dangerous leaks" is unclear and imprecise.

> +                <para>(These usages are compatible with older versions of systemd that do not ship
> +                <varname>network-pre.target</varname>, because relations to missing units are
> +                dropped.)</para>
This is not true. Require=network-pre.target will prevent a service
from being started if network-pre.target unit is not present.

> +[Unit]
> +Description=Network (Pre)
> +Documentation=man:network-pre.target(8)

> +RefuseManualStart=yes
Why?

Zbyszek


More information about the systemd-devel mailing list