Ubuntu
nplan package

netplan: post-up iptables or arbitrary script

Asked by SergeiFranco

Today I had "pleasure" of deploying Ubuntu Server 18.04 with mixed results. Without digressing I would like to know how to implement post-up (and pre-up) scripts in netplan?

According to https://netplan.io/faq I am supposed to use networkd-dispatcher but it does not have same functionality.

Why not just have "pre-up:","post-up",etc sections in the netplan itself?

So far the biggest show stopper (which would probably get the netplan uninstalled as part of our standard images) is inability to run simple iptables rules on "up" (and remove them on "down" events).

How does one deal with complex "ip route table" routing tables?
What about fwmark stuff?
What about tc rules?

Lets say I use networkd-dispatcher, where is the documentation for it?

Do netplan developers/Ubuntu seriously expect end users to write systemd unit files for what used to be one-liners?

Question information

Language:
English Edit question
Status:
Open
For:
Ubuntu nplan Edit question
Assignee:
No assignee Edit question
Last query:
Last reply:
Revision history for this message
actionparsnip (andrew-woodhead666) said : 		#1

I'd suggest making your own scripts to manage what you want.

Revision history for this message
SergeiFranco (sergei-franco) said : 		#2

Well, how would I do that with netplan?

There has to be a trigger mechanism, and as far as I know netplan does not have one.

With ifupdown [pre-/post-][up/down] you could use either inline command or a script.
The point is as far as I can tell netplan does not have it. Yet it is default in Ubuntu Server 18.04 LTS. I would not care if it forced as default on desktop, the features am I talking about are extensively used on servers, and not having that functionality is a major breakage.

the netplan FAQ states to use networkd-dispatcher, but where is the documentation for it?

https://www.google.com/search?q=networkd-dispatcher+documentation
leads to stuff all, so does this:
https://www.google.com/search?q=networkd-dispatcher+examples

So the only documentation that exist is this github page:
https://github.com/craftyguy/networkd-dispatcher

How is it an improvement when a major functionality is removed by default?

Revision history for this message
SergeiFranco (sergei-franco) said : 		#3

So a workaround that fits with the whole systemd dogma is following (untested):

[Unit]
Description=Firewall rules for eno1
After=sys-subsystem-net-devices-eno1.device
BindsTo=sys-subsystem-net-devices-eno1.device

[Service]
Type=oneshot
ExecStart=/usr/bin/local/firewall.sh start
ExectStop=/usr/bin/local/firewall.sh stop
RemainAfterExit=yes

[Install]
WantedBy=sys-subsystem-net-devices-eno1.device

Note: I am not that proficient with systemd.

Can you help with this problem?

Provide an answer of your own, or ask SergeiFranco for more information if necessary.

To post a message you must log in.