diff options
author | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2014-04-19 23:02:59 +0200 |
---|---|---|
committer | Eelco Dolstra <eelco.dolstra@logicblox.com> | 2014-04-19 23:02:59 +0200 |
commit | 0a256cc0ee45f3766e68ec29b03a50731ca64ae0 (patch) | |
tree | 50bae07f59b6e864578b9801f173683558242637 /nixos | |
parent | 4fb50f071f18279048bfd67267146aaec379e01d (diff) | |
download | nixlib-0a256cc0ee45f3766e68ec29b03a50731ca64ae0.tar nixlib-0a256cc0ee45f3766e68ec29b03a50731ca64ae0.tar.gz nixlib-0a256cc0ee45f3766e68ec29b03a50731ca64ae0.tar.bz2 nixlib-0a256cc0ee45f3766e68ec29b03a50731ca64ae0.tar.lz nixlib-0a256cc0ee45f3766e68ec29b03a50731ca64ae0.tar.xz nixlib-0a256cc0ee45f3766e68ec29b03a50731ca64ae0.tar.zst nixlib-0a256cc0ee45f3766e68ec29b03a50731ca64ae0.zip |
Firewall: Only start if we have CAP_NET_ADMIN
Diffstat (limited to 'nixos')
-rw-r--r-- | nixos/modules/services/networking/firewall.nix | 17 |
1 files changed, 11 insertions, 6 deletions
diff --git a/nixos/modules/services/networking/firewall.nix b/nixos/modules/services/networking/firewall.nix index e604ba23b87f..42914bfe5d62 100644 --- a/nixos/modules/services/networking/firewall.nix +++ b/nixos/modules/services/networking/firewall.nix @@ -18,8 +18,6 @@ */ - - { config, lib, pkgs, ... }: with lib; @@ -266,16 +264,23 @@ in message = "This kernel does not support disabling conntrack helpers"; } ]; - jobs.firewall = + systemd.services.firewall = { description = "Firewall"; - startOn = "started network-interfaces"; + wantedBy = [ "network.target" ]; + after = [ "network-interfaces.target" "systemd-modules-load.service" ]; path = [ pkgs.iptables ]; - after = [ "systemd-modules-load.service" ]; + # FIXME: this module may also try to load kernel modules, but + # containers don't have CAP_SYS_MODULE. So the host system had + # better have all necessary modules already loaded. + unitConfig.ConditionCapability = "CAP_NET_ADMIN"; + + serviceConfig.Type = "oneshot"; + serviceConfig.RemainAfterExit = true; - preStart = + script = '' ${helpers} |