79600 – Add a network-pre.target to avoid firewall leaks

Bug 79600 - Add a network-pre.target to avoid firewall leaks

Summary: Add a network-pre.target to avoid firewall leaks

Status:	RESOLVED FIXED

Alias:	None

Product:	systemd
Classification:	Unclassified
Component:	general (show other bugs)
Version:	unspecified
Hardware:	All All

Importance:	medium normal
Assignee:	systemd-bugs
QA Contact:	systemd-bugs

URL:
Whiteboard:
Keywords:

Depends on:
Blocks:

Reported:	2014-06-03 17:24 UTC by Rusty Bird
Modified:	2014-06-18 15:05 UTC (History)
CC List:	0 users

See Also:
i915 platform:
i915 features:

Attachments

Description Rusty Bird 2014-06-03 17:24:55 UTC

It looks like it's impossible to specify (in a cross-distro fashion) that a service should start up before any network interface configuration *begins*. (Before=network.target is too late.)

But such an ordering is essential for firewall services that need to avoid leaks. I propose the following:

1. Ship an empty network-pre.target.

2. Add to systemd-networkd.service and network.target:

[Unit]
Requires=network-pre.target
After=network-pre.target

3. Document #2 as a convention for other network interface configuration services to follow.

With this in place, a firewall service can finally do:

[Unit]
Before=network-pre.target
[Install]
RequiredBy=network-pre.target

Comment 1 Lennart Poettering 2014-06-18 15:05:33 UTC

Implemented in the last release.

Use of freedesktop.org services, including Bugzilla, is subject to our Code of Conduct. How we collect and use information is described in our Privacy Policy.