netfilter-persistent systemd service does not lock the network if netfilter-persistent wrapper is failing at system bootup

[adrelanos]

netfilter-persistent may not be ready for prime time.

netfilter-persistent bug reports:

• netfilter-persistent loads firewall rules too late
• netfilter-persistent systemd service does not lock the network if netfilter-persistent wrapper is failing at system bootup

netfilter-persistent feature request:

• add dpkg trigger for /usr/share/netfilter-persistent/plugins.d folder to have newly installed plugins take effect

---

systemd feature request:
please provide a firewall scripts drop-in folder

netfilter feature request:
please provide a firewall scripts drop-in folder

---

Anyone feeling awesome to patch netfilter-persistent in Debian?

[ghost]

I wonder if netfilter-persistent dependence is really needed here. I think not every user of netfilter-persistent desire fail-lock network option. Also providing standalone systemd service gives you full control of bugs/features/hardening. It's also more cross-platform as not every distro has netfilter-persistent available. At the end creating standalone systemd service means one more file...

Systemd service:

/lib/systemd/system/vpn-firewall.service

[Unit]
Description=Leak Protection (Fail Safe Mechanism) for (Open)VPN
DefaultDependencies=no

Wants=network-pre.target
Before=network-pre.target

Wants=systemd-modules-load.service local-fs.target
After=systemd-modules-load.service local-fs.target

Conflicts=shutdown.target
Before=shutdown.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/vpn-firewall start
ExecStop=/usr/sbin/vpn-firewall flush

[Install]
WantedBy=multi-user.target

And network lock:

/lib/systemd/system/networking.service.d/30_vpn-firewall.conf

[Unit]
#Fail Closed Mechanism. When the firewall systemd service failed, do not bring up the network.
Requires=vpn-firewall.service