[systemd-devel] [PATCH] Add a network-pre.target to avoid firewall leaks

Rusty Bird rustybird at openmailbox.org
Wed Jun 11 03:18:09 PDT 2014


Hi Lennart,

>> However, if we do this, then this needs to be a "passive" target, see
>> systemd.special(7), under "Special passive system units", and it should
>> be documented in that section. "Passive" means it is pulled it by the
>> units that implement a pre job, not by the units that implement the
>> networking stack. This way it doesn't get added to the initial
>> transaction unless there's actually some service that needs to be pulled
>> in. See the man page for further discussion on this.

> I figure we don't really need network-pre.target, as units that want to
> run before the network is up should just use:
> 
>     Before=systemd-networkd.service basic.target

From my v3 patch cover letter in reply to Zbyszek:

"Before=basic.target means lots of totally unrelated units can't be
started in parallel to the firewall.

"More importantly, you'd also need RequiredBy=basic.target to make the
network fail closed if e.g. iptables can't load a module. But then you
end up with a stump of a system."

I don't know if this property can be fit into the passive unit model.
Maybe the target should have a different name?

> THis is enough since network management services like
> NM are normal services, and networkd is the exception in being available
> from earliest boot on, including in the initrd.

I've never used systemd inside an initrd, but wouldn't
DefaultDependencies=false make the target work in both both early and
late systemd?

Rusty

-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 801 bytes
Desc: OpenPGP digital signature
URL: <http://lists.freedesktop.org/archives/systemd-devel/attachments/20140611/570d983e/attachment.sig>


More information about the systemd-devel mailing list