FS#33477 - [ufw] should be started as early as possible

Attached to Project: Community Packages
Opened by Pierre Buard (Gilrain) - Sunday, 20 January 2013, 16:59 GMT
Last edited by Bartłomiej Piotrowski (Barthalion) - Wednesday, 23 January 2013, 20:57 GMT
Task Type Bug Report
Category Packages
Status Closed
Assigned To Bartłomiej Piotrowski (Barthalion)
Architecture All
Severity Critical
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 1
Private No

Details

To insure the firewall rules are setup before any sockets are made available, it must be started before sysinit.target.
Please add the following line to the [Unit] section of the service file:
Before=sysinit.target

Additional info:
* ufw 0.33-1
* systemd bug report establishing the new guideline: <https://bugs.freedesktop.org/show_bug.cgi?id=57773#c2>
This task depends upon

Closed by  Bartłomiej Piotrowski (Barthalion)
Wednesday, 23 January 2013, 20:57 GMT
Reason for closing:  Fixed
Additional comments about closing:  ufw 0.33-2
Comment by John (graysky) - Sunday, 20 January 2013, 17:28 GMT
Beat me to the punch, Pierre :) Attached is a proposed ufw.service for review.
   ufw.service (0.2 KiB)
Comment by John (graysky) - Tuesday, 22 January 2013, 15:18 GMT
Actually, this does NOT work. Here is a clean startup:

% status ufw
ufw.service - CLI Netfilter Manager
Loaded: loaded (/usr/lib/systemd/system/ufw.service; enabled)
Active: inactive (dead)

Jan 22 09:14:18 reborn ufw-init[183]: WARNING: The state match is obsolete. Use conntrack instead.
Jan 22 09:14:18 reborn ufw-init[183]: WARNING: The state match is obsolete. Use conntrack instead.
Jan 22 09:14:19 reborn ufw-init[183]: WARNING: The state match is obsolete. Use conntrack instead.
Jan 22 09:14:19 reborn systemd[1]: Started CLI Netfilter Manager.
Jan 22 10:08:33 reborn systemd[1]: Stopping CLI Netfilter Manager...
Jan 22 10:08:33 reborn systemd[1]: Stopped CLI Netfilter Manager.
Jan 22 10:12:09 reborn systemd[1]: Stopped CLI Netfilter Manager.
Jan 22 10:12:15 reborn systemd[1]: Starting CLI Netfilter Manager...
Jan 22 10:12:16 reborn systemd[1]: Started CLI Netfilter Manager.
Jan 22 10:14:28 reborn systemd[1]: Job ufw.service/stop deleted to break ordering cycle starting with sysinit.target/stop
Comment by Pierre Buard (Gilrain) - Tuesday, 22 January 2013, 16:19 GMT
Ok, a couple of adjustments were necessary. See the attached service file.

First "DefaultDependencies" must be set to "no" (I assume that's what was implied by "make your fw services an early-boot service"). Otherwise the service does not start as stated by John.
Since we launch in a very basic environment, we must make sure that all the components of UFW are available. Hence "ConditionPathExists=|/etc/ufw/ufw.conf" and "ConditionDirectoryNotEmpty=|/usr/lib/ufw". I'm not sure but I think it would be overkill to check for iptables executables and what not.
Finally, "After=systemd-sysctl.service" was added because UFW changes some kernel parameters and it would be bad if they were overwritten by sysctl.

With this treatment, UFW starts and works as expected.
   ufw.service (0.3 KiB)
Comment by John (graysky) - Tuesday, 22 January 2013, 19:29 GMT
Amended service file seems to work for me.

Loading...