Re: [systemd-devel] [PATCH] Add a network-pre.target to avoid firewall leaks

Lennart Poettering: > On Wed, 11.06.14 11:13, Rusty Bird ([email protected]) wrote: > >> Lennart Poettering: >>> I am not convinced that the firewall being broken should break the >>> boot. >> >> It shouldn't! But there should be at lea

Re: [systemd-devel] [PATCH] Add a network-pre.target to avoid firewall leaks

Lennart Poettering: > I am not convinced that the firewall being broken should break the > boot. It shouldn't! But there should be at least an option (arguably the default) to break *connectivity*. With the v1-v3 patches that's decided by the firewall service, which chooses if it is RequiredBy=,

Re: [systemd-devel] [PATCH] Add a network-pre.target to avoid firewall leaks

Hi Lennart, >> However, if we do this, then this needs to be a "passive" target, see >> systemd.special(7), under "Special passive system units", and it should >> be documented in that section. "Passive" means it is pulled it by the >> units that implement a pre job, not by the units that implemen

Re: [systemd-devel] [PATCH] Add a network-pre.target to avoid firewall leaks

Hi Leonid, > On Sun, Jun 08, 2014 at 12:33:44PM +0000, Rusty Bird wrote: >> Adding to Djalal's and Mantas's examples, the systemd host may also be >> a gateway with its firewall configured to forward only *some* packets. > If systemd itself is a server (you mean jour

Re: [systemd-devel] [PATCH] Add a network-pre.target to avoid firewall leaks

Leonid Isaev: > But by the time network.target is reached there are no listening services yet, > are there? So, why would one need a firewall? Adding to Djalal's and Mantas's examples, the systemd host may also be a gateway with its firewall configured to forward only *some* packets. Rusty sig

[systemd-devel] [PATCH v3] Add a network-pre.target to avoid firewall leaks

https://bugs.freedesktop.org/show_bug.cgi?id=79600 --- Hi Zbigniew, > Currently my iptables.service has Before=basic.target. Why > is doing something like that not enough? Before=basic.target means lots of totally unrelated units can't be started in parallel to the firewall. More importantly, y

[systemd-devel] [PATCH v2] Add a network-pre.target to avoid firewall leaks

systemd + + + +Developer + Rusty +Bird [email protected] + + + + + +

Re: [systemd-devel] [PATCH] Add a network-pre.target to avoid firewall leaks

Andrey Borzenkov: > В Fri, 06 Jun 2014 12:53:01 + > Rusty Bird пишет: >> --- a/man/systemd.special.xml >> +++ b/man/systemd.special.xml >> @@ -71,6 +71,7 @@ >> local-fs-pre.target, >> multi-user.target

[systemd-devel] [PATCH] Add a network-pre.target to avoid firewall leaks

https://bugs.freedesktop.org/show_bug.cgi?id=79600 --- Makefile.am | 1 + man/systemd.special.xml | 1 + units/network-pre.target | 11 +++ units/network.target | 2 ++ units/systemd-networkd.service.in | 3 ++- 5 files changed, 17