[systemd-devel] Request for clarification of use & implementation of new (systemd >= v214) "network-pre.target"

Fri Oct 10 10:14:47 PDT 2014

systemd v214 introduced the new network-related target, "network-pre.target".

It cleanly provides a convenient and timley pre-network state trigger for Before= use in unit ordering.

As originally conceived, and currently implemented, it's of particular use for secure, early init of firewalls,

	http://lists.freedesktop.org/archives/systemd-commits/2014-June/006332.html
		commit a4a878d04045b46fa9783664e3643a890b356790
		Author: Lennart Poettering <lennart at poettering.net>
		Date:   Wed Jun 11 11:33:02 2014 +0200

		    units: introduce network-pre.target as place to hook in firewalls
		...

This target, specifically, started interest/discussion in its correct use for shorewall

	SW 4.6.4+' systemd service files' Before=/After= dependency on 'network.target' -- should that be 'network-pre.target' and 'network-online.target'?
	http://comments.gmane.org/gmane.comp.security.shorewall/31879

It was pointed out later in that same thread,

	http://permalink.gmane.org/gmane.comp.security.shorewall/31885

that not all distros have currently, nor in the immediate future, plans for up-to-date systemd.

openSUSE, e.g., has available, &/or will use, v210 for openSUSE versions 13.1, 13.2 & Factory.

Reviewing the commit implementing network-pre.target, above, it looks relatively simple, and was suggested in #systemd to apply the change as a patch to existing systemd implementation.

To that end, I raised a request at the distro to do so,

	https://bugzilla.suse.com/show_bug.cgi?id=900505
	Bug 900505 - Base:System/systemd: Bug Request to add upstream's patch to include v214's new 'network-pre.target' for early/secure pre-network dependency activation of firewall services

Atm in that discussion, there's some confusion.  If there's any possibilty of participation from here at/about that bug to help clarify what can/should be done, it'd be appreciated.

At the very least, it'd be helpful to get some specific clarification here re:

(1) Can the aforementioned patch be safely/cleanly applied to a v210 tree?
(2) Is systemd-networkd service required to be active to correctly support/detect network state on system startup, and properly trigger network-pre.target at the right time?  It does not appear to be required for either network.target, or network-online.target ...
(3) This

	https://wiki.archlinux.org/index.php/systemd-networkd

but not these

	http://www.freedesktop.org/software/systemd/man/systemd-networkd.service.html 
	http://www.freedesktop.org/software/systemd/man/systemd.network.html

explicitly states that 

	" ...
	This service (systemd-networkd) can run alongside your usual network management tool
	... "

IIUC, that suggests that systemd-networkd can be started in a detect-only mode, e.g., if no .network or .netdev are specified, leaving network & interface startup to ohter mechanisms (not theat I see the benefit in doing so; nonetheless ...).  Is that correct?

Thanks.