On 15/02/2022 18:13, Lennart Poettering wrote:
On Di, 15.02.22 17:30, Thomas HUMMEL (thomas.hum...@pasteur.fr) wrote:
A passive unit is a sync point that should be pulled in by the service
that actually needs it to operate correctly. hence: ask the question whether
networkd/NetworkManager will operate only correctly if nftables
finished start-up before it? I think that answer is a clear "no". But
the opposite holds, i.e. nftables only operates as a safe firewall if
it is run *before* networkd/NM start up. Thus it should be nftables
that pulls network-pre.target in, not networkd/NM, because it matters
to nftables, and it doesn't to networkd/NM.
Or maybe it is the other way around : by pulling it *and* knowing that
network interface is configured After= nftable.service is guaranteed to set
up its firewall before any interface gets configured.
So yeah, passive units are mostly about synchronization, i.e. if they
are pulled in they should have units on both sides, otherwise they
make no sense.
Exactly: that's what I meant with my nftables/NetworkManger above: not
that I thought it made sense for NetworkManager to pull
network-pre.target in. I meant it made no sense for nftable alone to
order Before= something it "created".
Hence I kinda wrongfully saw a passive target as a syncpoint for other
units than those which pull them in. But you're right: one side of the
synchonization is actually the unit pulling in the passive target ! I
just took that for granted/forgot it.
I kinda thought/implied it was more or less required (or the way to do
it) to order Before= a passive target we were pulling in.
So, although I did not see the case : would it be legit to pull a
passive target and order After= it (I only saw Before= for the one I
checked I think) ?
Thanks again for your help
--
Thomas HUMMEL
