Package: firehol
Version: 3.1.7+ds-5
Severity: normal
Tags: patch
X-Debbugs-Cc: [email protected]
User: [email protected]
Usertags: origin-ubuntu oracular ubuntu-patch
Hello,
Ubuntu uses Netplan and systemd-networkd and is working towards supporting
networkd-dispatcher instead of ifupdown. I'd like to propose this change
so that Debian can also benefit from this.
I noticed that the existing if-up/down hooks that firehol uses could be
expanded to also handle networkd-dispatcher.
I'm also proposing an addition to the firehol.links file in order to
properly link the scripts under /etc/network/if-{up,down}.d/ to
/usr/lib/networkd-dispatcher/{routable,off}.d/, in order to prevent code
duplication.
* Extend ifupdown script to support networkd-dispatcher. (LP: #1718227)
- d/ifupdown/ifupdown-firehol.sh:
Implement support for networkd-dispatcher.
- d/firehol.links: Install firehol scripts inside the proper
/usr/lib/networkd-dispatcher/{off,routable}.d/ directories.
I did a quick test inside an Ubuntu VM with the new version of the package.
I brought the network interface down & up and monitored syslog/journalctl
after enabling START_FIREHOL=AUTO via /etc/default/firehol, to confirm that
the script is being executed correctly. Here's the log:
Jul 10 13:40:52 oo-vm-255 systemd-networkd[643]: enp5s0: Link DOWN
Jul 10 13:40:52 oo-vm-255 systemd-networkd[643]: enp5s0: Lost carrier
Jul 10 13:40:52 oo-vm-255 systemd-networkd[643]: enp5s0: DHCP lease lost
Jul 10 13:40:52 oo-vm-255 systemd-networkd[643]: enp5s0: DHCPv6 lease lost
Jul 10 13:40:52 oo-vm-255 systemd-timesyncd[539]: No network connectivity,
watching for changes.
Jul 10 13:40:52 oo-vm-255 systemd[1]: networkd-dispatcher.service: Got
notification message from PID 2863, but reception only permitted for main PID
2144
Jul 10 13:40:53 oo-vm-255 FireHOL[2994]: FireHOL started from '/' with:
/usr/sbin/firehol stop
Jul 10 13:40:53 oo-vm-255 FireHOL[2995]: Clearing firewall started
Jul 10 13:40:53 oo-vm-255 FireHOL[3044]: Clearing firewall succeeded
Jul 10 13:40:53 oo-vm-255 FireHOL[3047]: Firewall has been stopped. Policy is
ACCEPT EVERYTHING!
Thanks for considering the patch.
Cheers,
Lukas
-- System Information:
Debian Release: trixie/sid
APT prefers noble-updates
APT policy: (500, 'noble-updates'), (500, 'noble-security'), (500, 'noble'),
(100, 'noble-proposed'), (100, 'noble-backports')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 6.8.0-35-generic (SMP w/8 CPU threads; PREEMPT)
Kernel taint flags: TAINT_PROPRIETARY_MODULE, TAINT_OOT_MODULE
Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8),
LANGUAGE=de_DE:en_GB:en
Shell: /bin/sh linked to /usr/bin/dash
Init: systemd (via /run/systemd/system)
LSM: AppArmor: enabled
diff -Nru firehol-3.1.7+ds/debian/firehol.links
firehol-3.1.7+ds/debian/firehol.links
--- firehol-3.1.7+ds/debian/firehol.links 2024-01-22 19:20:43.000000000
+0100
+++ firehol-3.1.7+ds/debian/firehol.links 2024-07-10 15:25:46.000000000
+0200
@@ -2,6 +2,8 @@
etc/firehol/ifupdown-firehol.sh etc/network/if-up.d/firehol
etc/firehol/ifupdown-firehol.sh etc/network/if-down.d/firehol
etc/firehol/ifupdown-firehol.sh etc/network/if-post-down.d/00-firehol
+etc/firehol/ifupdown-firehol.sh usr/lib/networkd-dispatcher/routable.d/firehol
+etc/firehol/ifupdown-firehol.sh usr/lib/networkd-dispatcher/off.d/firehol
usr/libexec/firehol/firehol usr/sbin/firehol
usr/lib/firehol/services.firehol usr/libexec/firehol/services.firehol
usr/share/doc/firehol/examples/contrib usr/share/doc/firehol/contrib
diff -Nru firehol-3.1.7+ds/debian/ifupdown/ifupdown-firehol.sh
firehol-3.1.7+ds/debian/ifupdown/ifupdown-firehol.sh
--- firehol-3.1.7+ds/debian/ifupdown/ifupdown-firehol.sh 2024-03-30
09:51:21.000000000 +0100
+++ firehol-3.1.7+ds/debian/ifupdown/ifupdown-firehol.sh 2024-07-10
15:22:30.000000000 +0200
@@ -61,6 +61,18 @@
set -x
fi
+# handle networkd-dispatcher hooks
+if [ -z "$MODE" ]; then
+ case $(dirname "$0") in
+ */routable.d)
+ MODE=start;
+ ;;
+ */off.d)
+ MODE=stop;
+ ;;
+ esac
+fi
+
[ "$IFACE" != "lo" ] || exit 0
set -e
