netfilter-persistent systemd service does not lock the network if netfilter-persistent wrapper is failing at system bootup

[adrelanos]

netfilter-persistent may not be ready for prime time.

netfilter-persistent bug reports:

• netfilter-persistent loads firewall rules too late
• netfilter-persistent systemd service does not lock the network if netfilter-persistent wrapper is failing at system bootup

netfilter-persistent feature request:

• add dpkg trigger for /usr/share/netfilter-persistent/plugins.d folder to have newly installed plugins take effect

---

systemd feature request: please provide a firewall scripts drop-in folder

netfilter feature request: please provide a firewall scripts drop-in folder

---

Anyone feeling awesome to patch netfilter-persistent in Debian?

[ghost]

I wonder if netfilter-persistent dependence is really needed here. I think not every user of netfilter-persistent desire fail-lock network option. Also providing standalone systemd service gives you full control of bugs/features/hardening. It's also more cross-platform as not every distro has netfilter-persistent available. At the end creating standalone systemd service means one more file...

Systemd service:

/lib/systemd/system/vpn-firewall.service

[Unit] Description=Leak Protection (Fail Safe Mechanism) for (Open)VPN DefaultDependencies=no

Wants=network-pre.target Before=network-pre.target

Wants=systemd-modules-load.service local-fs.target After=systemd-modules-load.service local-fs.target

Conflicts=shutdown.target Before=shutdown.target

[Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/sbin/vpn-firewall start ExecStop=/usr/sbin/vpn-firewall flush

[Install] WantedBy=multi-user.target

And network lock:

/lib/systemd/system/networking.service.d/30_vpn-firewall.conf

[Unit]

Fail Closed Mechanism. When the firewall systemd service failed, do not bring up the network.

Requires=vpn-firewall.service