Commit fc6c92fa authored Jan 28, 2024 by Andreas Stührk

nixos/nftables: remove default systemd dependencies

With DefaultDependencies enabled, systemd adds "After=basic.target" to
service units. `basic.target` has a dependency on `sockets.target`, so
the `nftables` has (amongst others) the following order constraints:

* Before=network-pre.target
* After=sockets.target

Those constraints are often unsatisfiable. For example, `systemd-networkd`
has a dependency `After=network-pre.target`. When a socket unit now uses
`BindToDevice=` on a device managed by `networkd`, a timeout occurs
because `networkd` waits for `network-pre.target`, but
`network-pre.target` depends (through nftables) on `sockets.target`, but
the device to bind the socket to is never brought up, as this would
happen through `networkd`.

This is fixed by removing the implicit dependency on `basic.target`.

parent 2148ac4b

nixos/modules/services/networking/nftables.nix

+5 −2

Original line number	Diff line number	Diff line
		@@ -252,8 +252,10 @@ in
		networking.nftables.flushRuleset = mkDefault (versionOlder config.system.stateVersion "23.11" \|\| (cfg.rulesetFile != null \|\| cfg.ruleset != ""));
		systemd.services.nftables = {
		description = "nftables firewall";
		before = [ "network-pre.target" ];
		wants = [ "network-pre.target" ];
		after = [ "sysinit.target" ];
		before = [ "network-pre.target" "shutdown.target" ];
		conflicts = [ "shutdown.target" ];
		wants = [ "network-pre.target" "sysinit.target" ];
		wantedBy = [ "multi-user.target" ];
		reloadIfChanged = true;
		serviceConfig = let
		@@ -315,6 +317,7 @@ in
		ExecStop = [ deletionsScriptVar cleanupDeletionsScript ];
		StateDirectory = "nftables";
		};
		unitConfig.DefaultDependencies = false;
		};
		};
		}

Admin message