Package: netfilter-persistent Severity: grave X-Debbugs-CC: whonix-de...@whonix.org Tags: security
Dear maintainer, I am using the following minimal systemd unit file for testing purposes. ### /lib/systemd/system/my-test.service [Unit] Description=my-test-firewall-service Before=network-pre.target Wants=network-pre.target [Service] Type=oneshot RemainAfterExit=yes ExecStart=/bin/true StandardOutput=syslog [Install] WantedBy=multi-user.target ### Enabled it using "sudo systemctl enable my-test.service". It results in a systemd ordering cycle. Jul 29 01:23:59 localhost systemd[1]: Found ordering cycle on basic.target/start Jul 29 01:23:59 localhost systemd[1]: Found dependency on sysinit.target/start Jul 29 01:23:59 localhost systemd[1]: Found dependency on networking.service/start Jul 29 01:23:59 localhost systemd[1]: Found dependency on network-pre.target/start Jul 29 01:23:59 localhost systemd[1]: Found dependency on my-test.service/start Jul 29 01:23:59 localhost systemd[1]: Found dependency on basic.target/start Jul 29 01:23:59 localhost systemd[1]: Breaking ordering cycle by deleting job networking.service/start Jul 29 01:23:59 localhost systemd[1]: Job networking.service/start deleted to break ordering cycle starting with basic.target/start Alternatively I tried "WantedBy=network-pre.target", but that resulted in the systemd unit not being automatically activated after boot at all. It stays in a loaded, enabled, inactive status. (Manual systemctl start my-test worked.) I think this is security relevant since to learn that there is a systemd ordering cycle one has to look at the syslog. And systemd's automatic breaking of the chain might result in the firewall not being load early enough? Cheers, Patrick