#1076087 firehol: Support networkd-dispatcher in if-up/down hooks

Package:
firehol
Source:
firehol
Submitter:
Lukas Märdian
Date:
2024-07-10 13:57:04 UTC
Severity:
normal
Tags:
#1076087#5
Date:
2024-07-10 13:55:45 UTC
From:
To:
Hello,

Ubuntu uses Netplan and systemd-networkd and is working towards supporting
networkd-dispatcher instead of ifupdown. I'd like to propose this change
so that Debian can also benefit from this.

I noticed that the existing if-up/down hooks that firehol uses could be
expanded to also handle networkd-dispatcher.

I'm also proposing an addition to the firehol.links file in order to
properly link the scripts under /etc/network/if-{up,down}.d/ to
/usr/lib/networkd-dispatcher/{routable,off}.d/, in order to prevent code
duplication.

  * Extend ifupdown script to support networkd-dispatcher. (LP: #1718227)
    - d/ifupdown/ifupdown-firehol.sh:
      Implement support for networkd-dispatcher.
    - d/firehol.links: Install firehol scripts inside the proper
      /usr/lib/networkd-dispatcher/{off,routable}.d/ directories.

I did a quick test inside an Ubuntu VM with the new version of the package.
I brought the network interface down & up and monitored syslog/journalctl
after enabling START_FIREHOL=AUTO via /etc/default/firehol, to confirm that
the script is being executed correctly. Here's the log:

Jul 10 13:40:52 oo-vm-255 systemd-networkd[643]: enp5s0: Link DOWN
Jul 10 13:40:52 oo-vm-255 systemd-networkd[643]: enp5s0: Lost carrier
Jul 10 13:40:52 oo-vm-255 systemd-networkd[643]: enp5s0: DHCP lease lost
Jul 10 13:40:52 oo-vm-255 systemd-networkd[643]: enp5s0: DHCPv6 lease lost
Jul 10 13:40:52 oo-vm-255 systemd-timesyncd[539]: No network connectivity, watching for changes.
Jul 10 13:40:52 oo-vm-255 systemd[1]: networkd-dispatcher.service: Got notification message from PID 2863, but reception only permitted for main PID 2144
Jul 10 13:40:53 oo-vm-255 FireHOL[2994]: FireHOL started from '/' with: /usr/sbin/firehol stop
Jul 10 13:40:53 oo-vm-255 FireHOL[2995]: Clearing firewall started
Jul 10 13:40:53 oo-vm-255 FireHOL[3044]: Clearing firewall succeeded
Jul 10 13:40:53 oo-vm-255 FireHOL[3047]: Firewall has been stopped. Policy is ACCEPT EVERYTHING!

Thanks for considering the patch.

Cheers,
  Lukas