Firewall: Only start if we have CAP_NET_ADMIN

2024-11-26 07:31:20 +00:00 · 2014-04-19 23:02:59 +02:00 · 2014-04-19 23:02:59 +02:00 · 0a256cc0ee
parent 4fb50f071f
commit 0a256cc0ee
2 changed files with 12 additions and 7 deletions
--- a/nixos/modules/services/networking/firewall.nix
+++ b/nixos/modules/services/networking/firewall.nix
@ -18,8 +18,6 @@

 */

-
-
 { config, lib, pkgs, ... }:

 with lib;
@ -266,16 +264,23 @@ in
                     message = "This kernel does not support disabling conntrack helpers"; }
                 ];

-    jobs.firewall =
+    systemd.services.firewall =
      { description = "Firewall";

-        startOn = "started network-interfaces";
+        wantedBy = [ "network.target" ];
+        after = [ "network-interfaces.target" "systemd-modules-load.service" ];

        path = [ pkgs.iptables ];

-        after = [ "systemd-modules-load.service" ];
+        # FIXME: this module may also try to load kernel modules, but
+        # containers don't have CAP_SYS_MODULE. So the host system had
+        # better have all necessary modules already loaded.
+        unitConfig.ConditionCapability = "CAP_NET_ADMIN";

-        preStart =
+        serviceConfig.Type = "oneshot";
+        serviceConfig.RemainAfterExit = true;
+
+        script =
          ''
            ${helpers}

--- a/pkgs/top-level/all-packages.nix
+++ b/pkgs/top-level/all-packages.nix
@ -9927,7 +9927,7 @@ let

  hsetroot = callPackage ../tools/X11/hsetroot { };

-  kde4 = recurseIntoAttrs pkgs.kde411;
+  kde4 = recurseIntoAttrs pkgs.kde412;

  kde4_next = recurseIntoAttrs( lib.lowPrioSet pkgs.kde412 );