[systemd-devel] [PATCH] Add a network-pre.target to avoid firewall leaks

Andrey Borzenkov arvidjaar at gmail.com
Sat Jun 7 22:16:50 PDT 2014


В Sun, 8 Jun 2014 01:42:18 +0200
Michael Biebl <mbiebl at gmail.com> пишет:

> 2014-06-08 1:07 GMT+02:00 Zbigniew Jędrzejewski-Szmek <zbyszek at in.waw.pl>:
> > On Sun, Jun 08, 2014 at 12:55:55AM +0200, Michael Biebl wrote:
> >> Could you elaborate why Before=network.target is too late?
> > Because then network setup races with e.g. iptables setup. Depending
> > on the timing, a window in which the network has been set up, but
> > the firewall is not yet in place.
> 
> If the iptables setup has Before=network.target, why is that not sufficient?
> 
> 

Because network.target itself does not do anything at all. You have
some other service which does actual job of setting up networking. This
other service is ordered before network.target. Ordering something else
before network.target will simply run them concurrently.

In case of iptables this leaves you with window where interfaces are up
but iptables is not yet setup.


More information about the systemd-devel mailing list