Open adrelanos opened 8 years ago
I wonder if netfilter-persistent dependence is really needed here. I think not every user of netfilter-persistent desire fail-lock network option. Also providing standalone systemd service gives you full control of bugs/features/hardening. It's also more cross-platform as not every distro has netfilter-persistent available. At the end creating standalone systemd service means one more file...
Systemd service:
/lib/systemd/system/vpn-firewall.service
[Unit] Description=Leak Protection (Fail Safe Mechanism) for (Open)VPN DefaultDependencies=no
Wants=network-pre.target Before=network-pre.target
Wants=systemd-modules-load.service local-fs.target After=systemd-modules-load.service local-fs.target
Conflicts=shutdown.target Before=shutdown.target
[Service] Type=oneshot RemainAfterExit=yes ExecStart=/usr/sbin/vpn-firewall start ExecStop=/usr/sbin/vpn-firewall flush
[Install] WantedBy=multi-user.target
And network lock:
/lib/systemd/system/networking.service.d/30_vpn-firewall.conf
[Unit]
Requires=vpn-firewall.service
netfilter-persistent may not be ready for prime time.
netfilter-persistent bug reports:
netfilter-persistent loads firewall rules too latenetfilter-persistent feature request:
systemd feature request: please provide a firewall scripts drop-in folder
netfilter feature request: please provide a firewall scripts drop-in folder
Anyone feeling awesome to patch netfilter-persistent in Debian?