diff options
author | aszlig <aszlig@redmoonstudios.org> | 2016-09-07 14:18:32 +0200 |
---|---|---|
committer | aszlig <aszlig@redmoonstudios.org> | 2016-09-07 15:11:24 +0200 |
commit | fb46df8a9a4102e265f4b14af48a5df90d5b06c3 (patch) | |
tree | a8c913bd53e61f479752fedcdf5819cacbf0a826 /nixos/modules/services/networking | |
parent | 10b335992e3757a06f483248582c4f81ecbcb8d4 (diff) | |
download | nixlib-fb46df8a9a4102e265f4b14af48a5df90d5b06c3.tar nixlib-fb46df8a9a4102e265f4b14af48a5df90d5b06c3.tar.gz nixlib-fb46df8a9a4102e265f4b14af48a5df90d5b06c3.tar.bz2 nixlib-fb46df8a9a4102e265f4b14af48a5df90d5b06c3.tar.lz nixlib-fb46df8a9a4102e265f4b14af48a5df90d5b06c3.tar.xz nixlib-fb46df8a9a4102e265f4b14af48a5df90d5b06c3.tar.zst nixlib-fb46df8a9a4102e265f4b14af48a5df90d5b06c3.zip |
nixos: Fix ordering of firewall.service
Follow-up to the following commits: abdc5961c3cdf9f5893ea1e91ba08ff5089f53a4: Fix starting the firewall e090701e2d09aec3e8866ab9a8e53c37973ffeb4: Order before sysinit Solely use sysinit.target here instead of multi-user.target because we want to make sure that the iptables rules are applied *before* any socket units are started. The reason I've dropped the wantedBy on multi-user.target is that sysinit.target is already a part of the dependency chain of multi-user.target. To make sure that this holds true, I've added a small test case to ensure that during switch of the configuration the firewall.service is considered as well. Tested using the firewall NixOS test. Signed-off-by: aszlig <aszlig@redmoonstudios.org> Cc: @edolstra
Diffstat (limited to 'nixos/modules/services/networking')
-rw-r--r-- | nixos/modules/services/networking/firewall.nix | 3 |
1 files changed, 2 insertions, 1 deletions
diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index 4e0d6bef4315..942fcc03f59b 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -490,7 +490,7 @@ in systemd.services.firewall = { description = "Firewall"; - wantedBy = [ "multi-user.target" "sysinit.target" ]; + wantedBy = [ "sysinit.target" ]; wants = [ "network-pre.target" ]; before = [ "network-pre.target" ]; after = [ "systemd-modules-load.service" ]; @@ -501,6 +501,7 @@ in # containers don't have CAP_SYS_MODULE. So the host system had # better have all necessary modules already loaded. unitConfig.ConditionCapability = "CAP_NET_ADMIN"; + unitConfig.DefaultDependencies = false; reloadIfChanged = true; |