[systemd-devel] [PATCH] Add a network-pre.target to avoid firewall leaks

Michael Biebl mbiebl at gmail.com
Sat Jun 7 15:55:55 PDT 2014


Could you elaborate why Before=network.target is too late?
Am 06.06.2014 14:53 schrieb "Rusty Bird" <rustybird at openmailbox.org>:

> https://bugs.freedesktop.org/show_bug.cgi?id=79600
> ---
>  Makefile.am                       |  1 +
>  man/systemd.special.xml           |  1 +
>  units/network-pre.target          | 11 +++++++++++
>  units/network.target              |  2 ++
>  units/systemd-networkd.service.in |  3 ++-
>  5 files changed, 17 insertions(+), 1 deletion(-)
>  create mode 100644 units/network-pre.target
>
> diff --git a/Makefile.am b/Makefile.am
> index a2a01d0..79adc34 100644
> --- a/Makefile.am
> +++ b/Makefile.am
> @@ -413,6 +413,7 @@ dist_systemunit_DATA = \
>         units/remote-fs.target \
>         units/remote-fs-pre.target \
>         units/network.target \
> +       units/network-pre.target \
>         units/network-online.target \
>         units/nss-lookup.target \
>         units/nss-user-lookup.target \
> diff --git a/man/systemd.special.xml b/man/systemd.special.xml
> index 8ccccc2..7515cf8 100644
> --- a/man/systemd.special.xml
> +++ b/man/systemd.special.xml
> @@ -71,6 +71,7 @@
>                  <filename>local-fs-pre.target</filename>,
>                  <filename>multi-user.target</filename>,
>                  <filename>network.target</filename>,
> +                <filename>network-pre.target</filename>,
>                  <filename>network-online.target</filename>,
>                  <filename>nss-lookup.target</filename>,
>                  <filename>nss-user-lookup.target</filename>,
> diff --git a/units/network-pre.target b/units/network-pre.target
> new file mode 100644
> index 0000000..0c4a0ca
> --- /dev/null
> +++ b/units/network-pre.target
> @@ -0,0 +1,11 @@
> +#  This file is part of systemd.
> +#
> +#  systemd is free software; you can redistribute it and/or modify it
> +#  under the terms of the GNU Lesser General Public License as published
> by
> +#  the Free Software Foundation; either version 2.1 of the License, or
> +#  (at your option) any later version.
> +
> +[Unit]
> +Description=Network (Pre)
> +Documentation=man:systemd.special(7)
> +RefuseManualStart=yes
> diff --git a/units/network.target b/units/network.target
> index 65fc64b..6966035 100644
> --- a/units/network.target
> +++ b/units/network.target
> @@ -9,3 +9,5 @@
>  Description=Network
>  Documentation=man:systemd.special(7)
>  Documentation=
> http://www.freedesktop.org/wiki/Software/systemd/NetworkTarget
> +Requires=network-pre.target
> +After=network-pre.target
> diff --git a/units/systemd-networkd.service.in b/units/
> systemd-networkd.service.in
> index 373ac4e..8e4d213 100644
> --- a/units/systemd-networkd.service.in
> +++ b/units/systemd-networkd.service.in
> @@ -9,8 +9,9 @@
>  Description=Network Service
>  Documentation=man:systemd-networkd.service(8)
>  DefaultDependencies=no
> -After=dbus.service
> +After=dbus.service network-pre.target
>  Before=network.target
> +Requires=network-pre.target
>  Wants=network.target
>  ConditionCapability=CAP_NET_ADMIN
>
> --
> 2.0.0
>
>
>
> _______________________________________________
> systemd-devel mailing list
> systemd-devel at lists.freedesktop.org
> http://lists.freedesktop.org/mailman/listinfo/systemd-devel
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20140608/4733772b/attachment-0001.html>


More information about the systemd-devel mailing list