FS#58178 - [nftables] nftables.service causes race condition with network-pre.target

Attached to Project: Arch Linux
Opened by Alif (alive4ever) - Monday, 09 April 2018, 07:19 GMT
Last edited by Sébastien Luttringer (seblu) - Sunday, 21 October 2018, 00:12 GMT
Task Type Bug Report
Category Packages: Extra
Status Closed
Assigned To Sébastien Luttringer (seblu)
Architecture All
Severity Low
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 2
Private No

Details

Description:
nftables.service lists network-pre.target as both 'Wants' and 'Before'
directive, as shown in the snippet below.

[Unit]
Description=Netfilter Tables
Documentation=man:nft(8)
Wants=network-pre.target
Before=network-pre.target

The listing of network-pre.target as both "Wants" and "Before" doesn't make
sense and sometimes causes a race condition with systemd-hostname.service.

If network-pre.target is required as nftables.service dependency (Wants),
nftables.service should only be started after network-pre.target has been
reached. To be clear, see the flowchart below

Boot => network-pre.target => nftables.service

If nftables.service is required to run before network-pre.target,
nftables.service has to run before network-pre.target. With this scheme,
nftables.service doesn't rely on network-pre.target to be reached. See this flowchart.

Boot => nftables.service => network-pre.target

I suggest removing 'Before=network-pre.target' from nftables.service to prevent
this race condition or replacing 'Before=network-pre.target' with 'After=network-pre.target'.

Additional info:
nftables 1:0.8.3-1


Steps to reproduce:
* disable iptables.service
* enable nftables.service
* remove 'quiet' from default kernel cmdline so the systemd boot log is displayed
* poweroff the computer, wait for some hours before starting again.
* notice that sometimes (not always) there will be a systemd delay when starting nftables.service due to race condition with systemd-hostname.service
This task depends upon

Closed by  Sébastien Luttringer (seblu)
Sunday, 21 October 2018, 00:12 GMT
Reason for closing:  No response
Comment by Sébastien Luttringer (seblu) - Wednesday, 13 June 2018, 23:54 GMT
Which is the race condition between nftable and systemd-hostnamed? One is setuping a firewall before the network is setup, the other used to manipulate machine hostname information.

The network-pre.target is defined by systemd.special, as the following:

network-pre.target
This passive target unit may be pulled in by services that want to run before any network is set up, for
example for the purpose of setting up a firewall. All network management software orders itself after
this target, but does not pull it in.

Loading...