[systemd-devel] [PATCH v3] Add a network-pre.target to avoid firewall leaks

Rusty Bird rustybird at openmailbox.org
Sun Jun 8 05:15:04 PDT 2014 

https://bugs.freedesktop.org/show_bug.cgi?id=79600
---
Hi Zbigniew,

> Currently my iptables.service has Before=basic.target.  Why
> is doing something like that not enough?

Before=basic.target means lots of totally unrelated units can't be
started in parallel to the firewall.

More importantly, you'd also need RequiredBy=basic.target to make the
network fail closed if e.g. iptables can't load a module. But then you
end up with a stump of a system.

> If it is added, the documentation for the target should be added to
> systemd.special(7), we don't want to have a separate man page for every
> target.

ok

> Also, Description= is part of the documentation, and it should
> be changed to something meaningful.

I used the pattern from the existing *-pre.target units.

Changing it to "Description=No Network Yet", which sounds decent enough
in "Starting ___" and "Reached target ___".

>> +                <para>Firewall services should order themselves <varname>Before=</varname>, and
>> +                declare a <varname>RequiredBy=</varname> relation to, <varname>network-pre.target</varname>.
>> +                Once enabled, their failure to start will impede network communication, avoiding
>> +                dangerous leaks.</para>
> "dangerous leaks" is unclear and imprecise.

"Once enabled, their failure to start will impede the configuration of
network interfaces, preventing unfiltered communication."

>> +                <para>(These usages are compatible with older versions of systemd that do not ship
>> +                <varname>network-pre.target</varname>, because relations to missing units are
>> +                dropped.)</para>
> This is not true. Require=network-pre.target will prevent a service
> from being started if network-pre.target unit is not present.

Damn, I may have tested that using "Require=" (note the missing s).

Getting NetworkManager, netctl etc. on board with the convention
suddenly looks like it might take a while. :(

>> +RefuseManualStart=yes
> Why?

Also copied from *-pre.target.

Removing it now so desperate admins can run
"systemctl --job-mode=ignore-dependencies start network-pre.target"

Rusty


 Makefile.am                       |  1 +
 man/systemd.special.xml           | 23 +++++++++++++++++++++++
 units/network-pre.target          | 10 ++++++++++
 units/network.target              |  9 +++++++++
 units/systemd-networkd.service.in |  3 ++-
 5 files changed, 45 insertions(+), 1 deletion(-)
 create mode 100644 units/network-pre.target

diff --git a/Makefile.am b/Makefile.am
index a2a01d0..712c116 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -414,6 +414,7 @@ dist_systemunit_DATA = \
 	units/remote-fs-pre.target \
 	units/network.target \
 	units/network-online.target \
+	units/network-pre.target \
 	units/nss-lookup.target \
 	units/nss-user-lookup.target \
 	units/hibernate.target \
diff --git a/man/systemd.special.xml b/man/systemd.special.xml
index 8ccccc2..7599f27 100644
--- a/man/systemd.special.xml
+++ b/man/systemd.special.xml
@@ -72,6 +72,7 @@
                 <filename>multi-user.target</filename>,
                 <filename>network.target</filename>,
                 <filename>network-online.target</filename>,
+                <filename>network-pre.target</filename>,
                 <filename>nss-lookup.target</filename>,
                 <filename>nss-user-lookup.target</filename>,
                 <filename>paths.target</filename>,
@@ -453,6 +454,28 @@
                                         </listitem>
                         </varlistentry>
                         <varlistentry>
+                                <term><filename>network-pre.target</filename></term>
+                                <listitem>
+                                        <para>This special target is intended to be
+                                        activated before any network interface
+                                        configuration begins.</para>
+
+                                        <para>Network interface configuration
+                                        services must <varname>Require=</varname>,
+                                        and order themselves <varname>After=</varname>,
+                                        <varname>network-pre.target</varname>.</para>
+
+                                        <para>Firewall services should order
+                                        themselves <varname>Before=</varname>, and
+                                        declare a <varname>RequiredBy=</varname>
+                                        relation to, <varname>network-pre.target</varname>.
+                                        Once enabled, their failure to start will
+                                        impede the configuration of network
+                                        interfaces, preventing unfiltered
+                                        communication.</para>
+                                </listitem>
+                        </varlistentry>
+                        <varlistentry>
                                 <term><filename>paths.target</filename></term>
                                 <listitem>
                                         <para>A special target unit
diff --git a/units/network-pre.target b/units/network-pre.target
new file mode 100644
index 0000000..3066d7e
--- /dev/null
+++ b/units/network-pre.target
@@ -0,0 +1,10 @@
+#  This file is part of systemd.
+#
+#  systemd is free software; you can redistribute it and/or modify it
+#  under the terms of the GNU Lesser General Public License as published by
+#  the Free Software Foundation; either version 2.1 of the License, or
+#  (at your option) any later version.
+
+[Unit]
+Description=No Network Yet
+Documentation=man:systemd.special(7)
diff --git a/units/network.target b/units/network.target
index 65fc64b..3b9915c 100644
--- a/units/network.target
+++ b/units/network.target
@@ -9,3 +9,12 @@
 Description=Network
 Documentation=man:systemd.special(7)
 Documentation=http://www.freedesktop.org/wiki/Software/systemd/NetworkTarget
+
+# There are probably a lot of old, home grown network interface configuration
+# services out there that do not behave according to the network-pre.target
+# documentation in systemd.special(7). In those setups, systemd may be unable
+# to impede the network if a firewall service fails. So then at least block a
+# subset of network consumers (those with Requires=network.target) and reduce
+# the quantity of leaks.
+Requires=network-pre.target
+After=network-pre.target
diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in
index 373ac4e..8e4d213 100644
--- a/units/systemd-networkd.service.in
+++ b/units/systemd-networkd.service.in
@@ -9,8 +9,9 @@
 Description=Network Service
 Documentation=man:systemd-networkd.service(8)
 DefaultDependencies=no
-After=dbus.service
+After=dbus.service network-pre.target
 Before=network.target
+Requires=network-pre.target
 Wants=network.target
 ConditionCapability=CAP_NET_ADMIN
 
-- 
2.0.0




-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20140608/6e07b95a/attachment.sig>

More information about the systemd-devel mailing list