On Wed, Oct 8, 2014, at 11:41 AM, Tom Eastep wrote:
> We're unclear as to why network-pre was created -- how does
> Before=network-pre.target differ from Before=network.target?
TBH, I'm not sure 'they' (in #systemd) know :-/ Best answer there, in response
to my (last reiteration of my) question,
"My question is, specifically, what is the difference between the
states @network-pre.target & @network.target."
was
"The difference is what you make it."
Lovely.
However, reading further, in greater detail, on the differences @
http://www.freedesktop.org/wiki/Software/systemd/NetworkTarget/
the following is, I believe, pertinent
"network.target has very little meaning during start-up. It only
indicates that the network management stack is up after it has been reached.
Whether any network interfaces are already configured when it is reached is
undefined. It's primary purpose is for ordering things properly at shutdown:
since the shutdown ordering of units in systemd is the reverse of the startup
ordering, any unit that is order After=network.target can be sure that it is
stopped before the network is shut down if the system is powered off."
I.e., it's not necessarily reliable for STARTUP use with Before=, but rather
for SHUTDOWN use with After=.
OTOH,
"network-pre.target is a target that may be used to order services
before any network interface is configured. It's primary purpose is for usage
with firewall services that want to establish a firewall before any network
interface is up. It's a passive unit: you cannot start it directly and it is
not pulled in by the the network management service, but by the service that
wants to run before it. Network management services hence should set
After=network-pre.target, but avoid any Wants=network-pre.target or even
Requires=network-pre.target. Services that want to be run before the network is
configured should place Before=network-pre.target and also set
Wants=network-pre.target to pull it in. This way, unless there's actually a
service that needs to be ordered before the network is up the target is not
pulled in, hence avoiding any unnecessary synchronization point."
DOES suggest its use in STARTUP use with Before=, *specifically* called out in
the case of firewalls:
"...
It's primary purpose is for usage with firewall services that want to
establish a firewall before any network interface is up.
..."
whic, IIUC, is exactly the case/state of shorewall-init.
I.e., I believe
Before=network-pre.target
is the appropriate choice here.
And, as above, After=netowrk-online.target in the other shorewall* unit files.
------------------------------------------------------------------------------
Meet PCI DSS 3.0 Compliance Requirements with EventLog Analyzer
Achieve PCI DSS 3.0 Compliant Status with Out-of-the-box PCI DSS Reports
Are you Audit-Ready for PCI DSS 3.0 Compliance? Download White paper
Comply to PCI DSS 3.0 Requirement 10 and 11.5 with EventLog Analyzer
http://pubads.g.doubleclick.net/gampad/clk?id=154622311&iu=/4140/ostg.clktrk
_______________________________________________
Shorewall-users mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/shorewall-users
