https://bugs.freedesktop.org/show_bug.cgi?id=79600 --- Makefile.am | 1 + man/network-pre.target.xml | 82 +++++++++++++++++++++++++++++++++++++++ units/network-pre.target | 11 ++++++ units/network.target | 8 ++++ units/systemd-networkd.service.in | 3 +- 5 files changed, 104 insertions(+), 1 deletion(-) create mode 100644 man/network-pre.target.xml create mode 100644 units/network-pre.target
diff --git a/Makefile.am b/Makefile.am index a2a01d0..79adc34 100644 --- a/Makefile.am +++ b/Makefile.am @@ -413,6 +413,7 @@ dist_systemunit_DATA = \ units/remote-fs.target \ units/remote-fs-pre.target \ units/network.target \ + units/network-pre.target \ units/network-online.target \ units/nss-lookup.target \ units/nss-user-lookup.target \ diff --git a/man/network-pre.target.xml b/man/network-pre.target.xml new file mode 100644 index 0000000..db52b33 --- /dev/null +++ b/man/network-pre.target.xml @@ -0,0 +1,82 @@ +<?xml version='1.0'?> <!--*-nxml-*--> +<!DOCTYPE refentry PUBLIC "-//OASIS//DTD DocBook XML V4.2//EN" + "http://www.oasis-open.org/docbook/xml/4.2/docbookx.dtd"> + +<!-- + This file is part of systemd. + + Copyright 2014 Tom Gundersen + + systemd is free software; you can redistribute it and/or modify it + under the terms of the GNU Lesser General Public License as published by + the Free Software Foundation; either version 2.1 of the License, or + (at your option) any later version. + + systemd is distributed in the hope that it will be useful, but + WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the GNU + Lesser General Public License for more details. + + You should have received a copy of the GNU Lesser General Public License + along with systemd; If not, see <http://www.gnu.org/licenses/>. +--> + +<refentry id="network-pre.target"> + + <refentryinfo> + <title>network-pre.target</title> + <productname>systemd</productname> + + <authorgroup> + <author> + <contrib>Developer</contrib> + <firstname>Rusty</firstname> + <surname>Bird</surname> + <email>rustyb...@openmailbox.org</email> + </author> + </authorgroup> + </refentryinfo> + + <refmeta> + <refentrytitle>network-pre.target</refentrytitle> + <manvolnum>8</manvolnum> + </refmeta> + + <refnamediv> + <refname>network-pre.target</refname> + <refpurpose>Network interface configuration has not yet begun</refpurpose> + </refnamediv> + + <refsect1> + <title>Description</title> + + <para><varname>network-pre.target</varname> is a systemd target intended to be + activated before any network interface configuration begins.</para> + </refsect1> + + <refsect1> + <title>Usage</title> + + <para>Network interface configuration services must <varname>Require=</varname>, + and order themselves <varname>After=</varname>, <varname>network-pre.target</varname>.</para> + + <para>Firewall services should order themselves <varname>Before=</varname>, and + declare a <varname>RequiredBy=</varname> relation to, <varname>network-pre.target</varname>. + Once enabled, their failure to start will impede network communication, avoiding + dangerous leaks.</para> + + <para>(These usages are compatible with older versions of systemd that do not ship + <varname>network-pre.target</varname>, because relations to missing units are + dropped.)</para> + </refsect1> + + <refsect1> + <title>See Also</title> + <para> + <citerefentry><refentrytitle>systemd</refentrytitle><manvolnum>1</manvolnum></citerefentry>, + <citerefentry><refentrytitle>systemd.target</refentrytitle><manvolnum>5</manvolnum></citerefentry> + <citerefentry><refentrytitle>systemd.unit</refentrytitle><manvolnum>5</manvolnum></citerefentry> + </para> + </refsect1> + +</refentry> diff --git a/units/network-pre.target b/units/network-pre.target new file mode 100644 index 0000000..0d4d363 --- /dev/null +++ b/units/network-pre.target @@ -0,0 +1,11 @@ +# This file is part of systemd. +# +# systemd is free software; you can redistribute it and/or modify it +# under the terms of the GNU Lesser General Public License as published by +# the Free Software Foundation; either version 2.1 of the License, or +# (at your option) any later version. + +[Unit] +Description=Network (Pre) +Documentation=man:network-pre.target(8) +RefuseManualStart=yes diff --git a/units/network.target b/units/network.target index 65fc64b..b80a8cc 100644 --- a/units/network.target +++ b/units/network.target @@ -9,3 +9,11 @@ Description=Network Documentation=man:systemd.special(7) Documentation=http://www.freedesktop.org/wiki/Software/systemd/NetworkTarget + +# There are probably a lot of old, home grown network interface configuration +# services out there that do not behave according to network-pre.target(8). +# In those setups, systemd may be unable to impede the network if a firewall +# service fails. So then at least block a subset of network consumers (those +# with Requires=network.target) and reduce the quantity of leaks. +Requires=network-pre.target +After=network-pre.target diff --git a/units/systemd-networkd.service.in b/units/systemd-networkd.service.in index 373ac4e..8e4d213 100644 --- a/units/systemd-networkd.service.in +++ b/units/systemd-networkd.service.in @@ -9,8 +9,9 @@ Description=Network Service Documentation=man:systemd-networkd.service(8) DefaultDependencies=no -After=dbus.service +After=dbus.service network-pre.target Before=network.target +Requires=network-pre.target Wants=network.target ConditionCapability=CAP_NET_ADMIN -- 2.0.0
signature.asc
Description: OpenPGP digital signature
_______________________________________________ systemd-devel mailing list systemd-devel@lists.freedesktop.org http://lists.freedesktop.org/mailman/listinfo/systemd-devel