Hello,
Ubuntu uses Netplan and systemd-networkd and is working towards supporting
networkd-dispatcher instead of ifupdown. I'd like to propose this change
so that Debian can also benefit from this.
I noticed that the existing if-up/down hooks that firehol uses could be
expanded to also handle networkd-dispatcher.
I'm also proposing an addition to the firehol.links file in order to
properly link the scripts under /etc/network/if-{up,down}.d/ to
/usr/lib/networkd-dispatcher/{routable,off}.d/, in order to prevent code
duplication.
* Extend ifupdown script to support networkd-dispatcher. (LP: #1718227)
- d/ifupdown/ifupdown-firehol.sh:
Implement support for networkd-dispatcher.
- d/firehol.links: Install firehol scripts inside the proper
/usr/lib/networkd-dispatcher/{off,routable}.d/ directories.
I did a quick test inside an Ubuntu VM with the new version of the package.
I brought the network interface down & up and monitored syslog/journalctl
after enabling START_FIREHOL=AUTO via /etc/default/firehol, to confirm that
the script is being executed correctly. Here's the log:
Jul 10 13:40:52 oo-vm-255 systemd-networkd[643]: enp5s0: Link DOWN
Jul 10 13:40:52 oo-vm-255 systemd-networkd[643]: enp5s0: Lost carrier
Jul 10 13:40:52 oo-vm-255 systemd-networkd[643]: enp5s0: DHCP lease lost
Jul 10 13:40:52 oo-vm-255 systemd-networkd[643]: enp5s0: DHCPv6 lease lost
Jul 10 13:40:52 oo-vm-255 systemd-timesyncd[539]: No network connectivity, watching for changes.
Jul 10 13:40:52 oo-vm-255 systemd[1]: networkd-dispatcher.service: Got notification message from PID 2863, but reception only permitted for main PID 2144
Jul 10 13:40:53 oo-vm-255 FireHOL[2994]: FireHOL started from '/' with: /usr/sbin/firehol stop
Jul 10 13:40:53 oo-vm-255 FireHOL[2995]: Clearing firewall started
Jul 10 13:40:53 oo-vm-255 FireHOL[3044]: Clearing firewall succeeded
Jul 10 13:40:53 oo-vm-255 FireHOL[3047]: Firewall has been stopped. Policy is ACCEPT EVERYTHING!
Thanks for considering the patch.
Cheers,
Lukas