diff options
| author | Andreas Stührk <andy@hammerhartes.de> | 2024-01-28 22:27:02 +0100 |
|---|---|---|
| committer | Andreas Stührk <andy@hammerhartes.de> | 2024-01-31 23:26:05 +0100 |
| commit | fc6c92faf36907f8d43034a3d5335aa41c571c84 (patch) | |
| tree | 683f41c056b97126e001ecb47f217c0e1908019f /nixos/modules/services/networking | |
| parent | 2148ac4b305df4253e7aea37832e28b559290537 (diff) | |
| download | nixlib-fc6c92faf36907f8d43034a3d5335aa41c571c84.tar nixlib-fc6c92faf36907f8d43034a3d5335aa41c571c84.tar.gz nixlib-fc6c92faf36907f8d43034a3d5335aa41c571c84.tar.bz2 nixlib-fc6c92faf36907f8d43034a3d5335aa41c571c84.tar.lz nixlib-fc6c92faf36907f8d43034a3d5335aa41c571c84.tar.xz nixlib-fc6c92faf36907f8d43034a3d5335aa41c571c84.tar.zst nixlib-fc6c92faf36907f8d43034a3d5335aa41c571c84.zip | |
nixos/nftables: remove default systemd dependencies
With DefaultDependencies enabled, systemd adds "After=basic.target" to service units. `basic.target` has a dependency on `sockets.target`, so the `nftables` has (amongst others) the following order constraints: * Before=network-pre.target * After=sockets.target Those constraints are often unsatisfiable. For example, `systemd-networkd` has a dependency `After=network-pre.target`. When a socket unit now uses `BindToDevice=` on a device managed by `networkd`, a timeout occurs because `networkd` waits for `network-pre.target`, but `network-pre.target` depends (through nftables) on `sockets.target`, but the device to bind the socket to is never brought up, as this would happen through `networkd`. This is fixed by removing the implicit dependency on `basic.target`.
Diffstat (limited to 'nixos/modules/services/networking')
| -rw-r--r-- | nixos/modules/services/networking/nftables.nix | 7 |
1 files changed, 5 insertions, 2 deletions
diff --git a/nixos/modules/services/networking/nftables.nix b/nixos/modules/services/networking/nftables.nix index 424d005dc0b5..46fa9d2de046 100644 --- a/nixos/modules/services/networking/nftables.nix +++ b/nixos/modules/services/networking/nftables.nix @@ -252,8 +252,10 @@ in networking.nftables.flushRuleset = mkDefault (versionOlder config.system.stateVersion "23.11" || (cfg.rulesetFile != null || cfg.ruleset != "")); systemd.services.nftables = { description = "nftables firewall"; - before = [ "network-pre.target" ]; - wants = [ "network-pre.target" ]; + after = [ "sysinit.target" ]; + before = [ "network-pre.target" "shutdown.target" ]; + conflicts = [ "shutdown.target" ]; + wants = [ "network-pre.target" "sysinit.target" ]; wantedBy = [ "multi-user.target" ]; reloadIfChanged = true; serviceConfig = let @@ -315,6 +317,7 @@ in ExecStop = [ deletionsScriptVar cleanupDeletionsScript ]; StateDirectory = "nftables"; }; + unitConfig.DefaultDependencies = false; }; }; } |