Bug 79600 - Add a network-pre.target to avoid firewall leaks
Summary: Add a network-pre.target to avoid firewall leaks
Status: RESOLVED FIXED
Alias: None
Product: systemd
Classification: Unclassified
Component: general (show other bugs)
Version: unspecified
Hardware: All All
: medium normal
Assignee: systemd-bugs
QA Contact: systemd-bugs
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2014-06-03 17:24 UTC by Rusty Bird
Modified: 2014-06-18 15:05 UTC (History)
0 users

See Also:
i915 platform:
i915 features:


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Rusty Bird 2014-06-03 17:24:55 UTC
It looks like it's impossible to specify (in a cross-distro fashion) that a service should start up before any network interface configuration *begins*. (Before=network.target is too late.)

But such an ordering is essential for firewall services that need to avoid leaks. I propose the following:

1. Ship an empty network-pre.target.

2. Add to systemd-networkd.service and network.target:

[Unit]
Requires=network-pre.target
After=network-pre.target

3. Document #2 as a convention for other network interface configuration services to follow.

With this in place, a firewall service can finally do:

[Unit]
Before=network-pre.target
[Install]
RequiredBy=network-pre.target
Comment 1 Lennart Poettering 2014-06-18 15:05:33 UTC
Implemented in the last release.


Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.