systemd v214 introduced the new network-related target, "network-pre.target".
It cleanly provides a convenient and timley pre-network state trigger for
Before= use in unit ordering.
As originally conceived, and currently implemented, it's of particular use for
secure, early init of firewalls,
http://lists.freedesktop.org/archives/systemd-commits/2014-June/006332.html
commit a4a878d04045b46fa9783664e3643a890b356790
Author: Lennart Poettering <lennart at poettering.net>
Date: Wed Jun 11 11:33:02 2014 +0200
units: introduce network-pre.target as place to hook in
firewalls
...
This target, specifically, started interest/discussion in its correct use for
shorewall
SW 4.6.4+' systemd service files' Before=/After= dependency on
'network.target' -- should that be 'network-pre.target' and
'network-online.target'?
http://comments.gmane.org/gmane.comp.security.shorewall/31879
It was pointed out later in that same thread,
http://permalink.gmane.org/gmane.comp.security.shorewall/31885
that not all distros have currently, nor in the immediate future, plans for
up-to-date systemd.
openSUSE, e.g., has available, &/or will use, v210 for openSUSE versions 13.1,
13.2 & Factory.
Reviewing the commit implementing network-pre.target, above, it looks
relatively simple, and was suggested in #systemd to apply the change as a patch
to existing systemd implementation.
To that end, I raised a request at the distro to do so,
https://bugzilla.suse.com/show_bug.cgi?id=900505
Bug 900505 - Base:System/systemd: Bug Request to add upstream's patch
to include v214's new 'network-pre.target' for early/secure pre-network
dependency activation of firewall services
Atm in that discussion, there's some confusion. If there's any possibilty of
participation from here at/about that bug to help clarify what can/should be
done, it'd be appreciated.
At the very least, it'd be helpful to get some specific clarification here re:
(1) Can the aforementioned patch be safely/cleanly applied to a v210 tree?
(2) Is systemd-networkd service required to be active to correctly
support/detect network state on system startup, and properly trigger
network-pre.target at the right time? It does not appear to be required for
either network.target, or network-online.target ...
(3) This
https://wiki.archlinux.org/index.php/systemd-networkd
but not these
http://www.freedesktop.org/software/systemd/man/systemd-networkd.service.html
http://www.freedesktop.org/software/systemd/man/systemd.network.html
explicitly states that
" ...
This service (systemd-networkd) can run alongside your usual network
management tool
... "
IIUC, that suggests that systemd-networkd can be started in a detect-only mode,
e.g., if no .network or .netdev are specified, leaving network & interface
startup to ohter mechanisms (not theat I see the benefit in doing so;
nonetheless ...). Is that correct?
Thanks.
_______________________________________________
systemd-devel mailing list
[email protected]
http://lists.freedesktop.org/mailman/listinfo/systemd-devel
