[systemd-devel] [PATCH] Add a network-pre.target to avoid firewall leaks

[Lennart Poettering]

On Wed, 11.06.14 10:18, Rusty Bird (rustybird at openmailbox.org) wrote:

> Hi Lennart,
> 
> >> However, if we do this, then this needs to be a "passive" target, see
> >> systemd.special(7), under "Special passive system units", and it should
> >> be documented in that section. "Passive" means it is pulled it by the
> >> units that implement a pre job, not by the units that implement the
> >> networking stack. This way it doesn't get added to the initial
> >> transaction unless there's actually some service that needs to be pulled
> >> in. See the man page for further discussion on this.
> 
> > I figure we don't really need network-pre.target, as units that want to
> > run before the network is up should just use:
> > 
> >     Before=systemd-networkd.service basic.target
> 
> From my v3 patch cover letter in reply to Zbyszek:
> 
> "Before=basic.target means lots of totally unrelated units can't be
> started in parallel to the firewall.

Well, true. But we that's the deal wth basic.target. It abstracts the
early-boot stuff away, making things a lot easier, at the price of
slightly less parallelization.

> "More importantly, you'd also need RequiredBy=basic.target to make the
> network fail closed if e.g. iptables can't load a module. But then you
> end up with a stump of a system."
> 
> I don't know if this property can be fit into the passive unit model.
> Maybe the target should have a different name?

I am not convinced that the firewall being broken should break the
boot. If that's deserible, then people should use:

    OnFailure=emergency.target
    OnFailureJobMode=replace-irreversibly

Which puts the system in emergency mode if the firewall is fucked
up. But again, I am pretty sure that should not be the default logic,
but just some specific configuration for special setups.

Anyway, this is implemented now, please have a look (see other mail).

Lennart

-- 
Lennart Poettering, Red Hat