FS#33478 - [iptables] should be started as early as possible

Attached to Project: Arch Linux
Opened by Pierre Buard (Gilrain) - Sunday, 20 January 2013, 17:02 GMT
Last edited by Doug Newgard (Scimmia) - Thursday, 21 April 2016, 19:04 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Ronald van Haren (pressh)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 21
Private No

Details

To insure the firewall rules are setup before any sockets are made available, it must be started before sysinit.target.
Please add the following line to the [Unit] section of both service files:
Before=sysinit.target

Additional info:
* iptables 1.4.16.3-1
* systemd bug report establishing the new guideline: <https://bugs.freedesktop.org/show_bug.cgi?id=57773#c2>
This task depends upon

Closed by  Doug Newgard (Scimmia)
Thursday, 21 April 2016, 19:04 GMT
Reason for closing:  Fixed
Additional comments about closing:  iptables 1.6.0-1
Comment by Pierre Buard (Gilrain) - Friday, 08 February 2013, 16:49 GMT
If you're in need of inspiration, take a look at the UFW service file: <https://projects.archlinux.org/svntogit/community.git/tree/trunk/service?h=packages/ufw>.
It was amended with the necessary systemd magic (see <https://bugs.archlinux.org/task/33477>) and has been working perfectly on my computers ever since.
Comment by Olivier Brunel (jjacky) - Monday, 18 February 2013, 12:09 GMT
Here's a patch that adds Before=sysinit.target as well as the DefaultDependencies=no to both service files.
   0001-Ensure-it-starts-before-... (0.9 KiB)
Comment by Doru Georgescu (doru001) - Saturday, 13 July 2013, 15:11 GMT
This is my proposition for /usr/lib/systemd/system/iptables.service, inspired by https://bugs.freedesktop.org/show_bug.cgi?id=57773#c7, I mention that there should be sysinit.target instead of sysinit.service in 0001-Ensure-it-starts-before-sockets-are-made-available-F.patch attachment to the previous comment.
   iptables.service (0.4 KiB)
Comment by Olivier Brunel (jjacky) - Sunday, 14 July 2013, 10:54 GMT
Right, sorry about that. Here's a fixed patch.
   0001-Ensure-it-starts-before-... (0.9 KiB)
Comment by Jakub Klinkovský (lahwaacz) - Thursday, 25 July 2013, 18:40 GMT
Using Before=sysinit.target in this case would be wrong, it breaks dependencies between targets. Note that iptables.service is WantedBy=multi-user.target, multi-user.target is started after sysinit.target. I think the correct way to do this is by placing iptables.service into basic.target, which is started after sysinit.target but before multi-user.target. All services configuring network interfaces are in multi-user.target, so network.target is necessarily started after basic.target.
Comment by Jakub Klinkovský (lahwaacz) - Thursday, 25 July 2013, 18:51 GMT
Here's the proposed iptables.service
   iptables.service (0.4 KiB)
Comment by Doru Georgescu (doru001) - Friday, 26 July 2013, 12:13 GMT
Before does not mean RequiredBy (they are orthogonal, see man systemd.unit). After you work it out, you are welcome to the unhappy chorus: https://bbs.archlinux.org/viewtopic.php?id=163074&p=2. On my system iptables is started because it is enabled, not because it is wanted by multi-user.target.
Comment by Christian Hesse (eworm) - Thursday, 12 June 2014, 09:11 GMT
With systemd-214-1 we have network-pre.target for this.
Comment by Christian Hesse (eworm) - Thursday, 12 June 2014, 09:22 GMT
From systemd documentation:

> Firewall services should order themselves Before=, and
> declare a RequiredBy= relation to network-pre.target.
> Once enabled, their failure to start will impede network
> communication, avoiding dangerous leaks.

Patch is attached.
   0001-update-iptables-service-... (1.7 KiB)
Comment by Leonid Isaev (lisaev) - Thursday, 12 June 2014, 16:34 GMT
Christian, shouldn't RequiredBy= go into [Install] section [1]? Also, I don't think that RequiredBy= is the upstream recommendation [2] (not that I am agreeing with them).

[1] https://bugs.freedesktop.org/show_bug.cgi?id=79600
[2] http://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/

So, I would personally go with what was proposed in [1]...
Comment by Tobias Hunger (hunger) - Wednesday, 25 June 2014, 21:15 GMT
Now that systemd 214 is in the archives: Shouldn't this get started in the new network-pre.target?

The release announcement gives firewall scripts as an example for this target.

Sorry for the noise, I only now noticed that this is exactly what the latest version of the patch does:-/
Comment by Joakim Hernberg (jhernberg) - Monday, 18 August 2014, 02:08 GMT
Any reason this isn't done yet?
Comment by Chris (snakeroot) - Monday, 03 November 2014, 19:12 GMT
In the patch, shouldn't you add:

[Unit]
Before=network-pre.target
[Install]
RequiredBy=network-pre.target

IOW, RequiredBy goes in the install section. See upstream bug report https://bugs.freedesktop.org/show_bug.cgi?id=79600 .
Comment by Szunti (Szunti) - Thursday, 15 January 2015, 11:09 GMT
Just want to add again that http://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/
sais you should use Wants, RequiredBy doesn't work without anything pulling the target in.

[Unit]
Before=network-pre.target
Wants=network-pre.target
Comment by Ingo Albrecht (indigo) - Tuesday, 31 March 2015, 22:41 GMT
The above is also matched by [1] which fixed the same for nftables last year.

A new iptables release was shipped today without it. Is there a reason why?

[1] https://bugs.archlinux.org/task/41633
Comment by Joakim Hernberg (jhernberg) - Wednesday, 01 April 2015, 07:01 GMT
I'm also wondering what's up with this, why no resolution for so long?

Can we finally please get this done?
Comment by Joakim Hernberg (jhernberg) - Wednesday, 26 August 2015, 13:07 GMT
This still isn't implemented in the repos.. Please fix!
Comment by Patrick Brauer (mercora) - Wednesday, 17 February 2016, 16:26 GMT
its 3 years later now... still nothing happend? Is there anything missing i could help with?

Loading...