Understanding if-up.d Script Execution vs post-up Directives in Linux Network Configuration


4 views

The /etc/network/if-up.d directory contains executable scripts that run when any network interface comes up. These scripts execute in alphabetical order when:

  • An interface transitions from down to up state
  • After all interface configuration completes
  • For both manual (ifup) and DHCP-activated interfaces

While all scripts in if-up.d run for every interface, post-up commands in /etc/network/interfaces are interface-specific:

# Example interfaces file
auto eth0
iface eth0 inet dhcp
    post-up /usr/local/bin/custom_script.sh

The complete sequence when bringing up an interface:

  1. pre-up commands in interfaces file
  2. if-pre-up.d scripts
  3. Interface configuration (DHCP/static)
  4. if-up.d scripts (alphabetical order)
  5. post-up commands in interfaces file

For interface-specific routing, use post-up:

iface eth1 inet static
    address 192.168.1.100
    netmask 255.255.255.0
    post-up ip route add 10.0.0.0/8 via 192.168.1.1

For global network policies affecting all interfaces, use if-up.d:

#!/bin/sh
# /etc/network/if-up.d/firewall-rules
if [ "$IFACE" = "lo" ]; then
    exit 0
fi
iptables -A INPUT -i $IFACE -p tcp --dport 22 -j ACCEPT

To debug script execution:

sudo ifdown eth0 && sudo ifup -v eth0

Check script permissions (must be executable) and ensure proper shebang lines.

No, not every script in /etc/network/if-up.d is unconditionally executed when an interface comes up. The system uses a specific mechanism to determine which scripts should run:

#!/bin/bash
# Example if-up.d script header
if [ "$IFACE" = "eth0" ]; then
    # Only runs when eth0 comes up
    logger "Custom configuration for eth0 applied"
fi

While if-up.d scripts provide general interface-up hooks, post-up in /etc/network/interfaces serves a different purpose:

# /etc/network/interfaces example
auto eth0
iface eth0 inet dhcp
    post-up /usr/local/bin/special_config.sh

Important technical distinctions between these mechanisms:

  • if-up.d scripts run as root with environment variables (IFACE, METHOD, etc.)
  • post-up commands execute in the interface's configuration context
  • if-up.d has ordering (lexical sort of filenames) while post-up executes immediately after interface up

Here's how you might use both mechanisms together:

# /etc/network/if-up.d/99-firewall
#!/bin/sh
[ "$IFACE" != "eth0" ] && exit 0
iptables -A INPUT -i eth0 -p tcp --dport 22 -j ACCEPT

# Corresponding interfaces file entry
auto eth0
iface eth0 inet static
    address 192.168.1.100
    netmask 255.255.255.0
    post-up /sbin/iptables -A INPUT -i eth0 -p icmp -j ACCEPT

To verify what's actually running:

# Add debugging to scripts
logger "if-up.d script $0 executed for $IFACE"

# Check system logs
journalctl -b | grep if-up.d