Bug 79600

Summary: Add a network-pre.target to avoid firewall leaks
Product: systemd Reporter: Rusty Bird <rustybird+freedesktop.org>
Component: generalAssignee: systemd-bugs
Status: RESOLVED FIXED QA Contact: systemd-bugs
Severity: normal    
Priority: medium    
Version: unspecified   
Hardware: All   
OS: All   
Whiteboard:
i915 platform: i915 features:

Description Rusty Bird 2014-06-03 17:24:55 UTC 
It looks like it's impossible to specify (in a cross-distro fashion) that a service should start up before any network interface configuration *begins*. (Before=network.target is too late.)

But such an ordering is essential for firewall services that need to avoid leaks. I propose the following:

1. Ship an empty network-pre.target.

2. Add to systemd-networkd.service and network.target:

[Unit]
Requires=network-pre.target
After=network-pre.target

3. Document #2 as a convention for other network interface configuration services to follow.

With this in place, a firewall service can finally do:

[Unit]
Before=network-pre.target
[Install]
RequiredBy=network-pre.target
Comment 1 Lennart Poettering 2014-06-18 15:05:33 UTC 
Implemented in the last release.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.