[systemd-devel] making firewalld an early boot service

Lennart Poettering lennart at poettering.net
Wed Mar 9 09:57:54 UTC 2022 

e65;6602;1cOn Di, 08.03.22 22:59, Michael Biebl (mbiebl at gmail.com) wrote:

> I wonder if firewald should be turned into an early boot service as
> well.

I doubt you can do that. Thing is that firewalld uses D-Bus, and
services that do D-Bus will have a hard time to run during early boot.

In systemd we have some services which do D-Bus and run in early boot,
specifically networkd, resolved and systemd itself. They do that by
simply not doing D-Bus that early, and watching the d-bus socket so
that they connect the moment it becomes available. It's ugly as fuck,
though and very hard to get right, it took us quite some time to get
this reasonably right and race-free.

Last time I looked firewalld is a bunch of scripts around iptables/nft
shell outs? I have my doubts it's going to be easy to make that work,
i.e. add the glue it needs to instantly connect to D-Bus once it
becomes available in a race-free fashion-

> Currently it looks like this:
>
> [Unit]
> Description=firewalld - dynamic firewall daemon
> Before=network-pre.target

Network management services such as networkd are early-boot
services. A late boot service ordered before network-pre.target and
thus networkd is hence already an ordering cycle.

> After=dbus.service
> After=polkit.service

These two are late boot service, hence hard to move to early boot if
you keep them.

> I wonder if the following would make sense
>
>
> [Unit]
> Description=firewalld - dynamic firewall daemon
> DefaultDependencies=no
> Before=network-pre.target
> Wants=network-pre.target
> After=local-fs.target
> Conflicts=iptables.service ip6tables.service ebtables.service
> ipset.service nftables.service
> Documentation=man:firewalld(1)
>
> [Service]
> ...
> [Install]
> WantedBy=sysinit.target

It should also have Before=sysinit.target really.

> Alias=dbus-org.fedoraproject.FirewallD1.service

> I dropped the After=dbus.service polkit.service orderings, as they are
> either socket or D-Bus activated services, added an explicit
> After=local-fs.target ordering just to be sure and hooked it into
> sysinit.target.

My educated guess is that they want After=dbus.service mostly for
shutdown ordering, i.e. so that they can still be talked to while the
system goes down or so?

The thing though is: i doubt firewalld is able to handle the case
where the dbus broker isn't connectible yet.

> Would you agree that making a firewall service an early boot service
> is a good idea?

Well, I am not a fan of the firewalld concept tbh. But yes, if you buy
into the idea of firewalld, then you have to make it an early boot
service really, if you intend to be compatible with early boot
networking. That said, I think NetworkManager is not early-boot either
right now, is it? So you have to move that too. But in that case too,
not sure if it can deal with D-Bus not being around.

Lennart

--
Lennart Poettering, Berlin

More information about the systemd-devel mailing list