swendel/nixpkgs
1
0
Fork 0
mirror of https://github.com/SebastianWendel/nixpkgs.git synced 2024-09-20 20:39:04 +02:00
Code Issues Packages Projects Releases Wiki Activity

Firewall: Only start if we have CAP_NET_ADMIN

Browse source
This commit is contained in:
Eelco Dolstra 2014-04-19 23:02:59 +02:00
parent 4fb50f071f
commit 0a256cc0ee
2 changed files with 12 additions and 7 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

17
nixos/modules/services/networking/firewall.nix
View file

@ -18,8 +18,6 @@
*/ */
{ config, lib, pkgs, ... }: { config, lib, pkgs, ... }:
with lib; with lib;
@ -266,16 +264,23 @@ in
message = "This kernel does not support disabling conntrack helpers"; } message = "This kernel does not support disabling conntrack helpers"; }
]; ];
jobs.firewall = systemd.services.firewall =
{ description = "Firewall"; { description = "Firewall";
startOn = "started network-interfaces"; wantedBy = [ "network.target" ];
after = [ "network-interfaces.target" "systemd-modules-load.service" ];
path = [ pkgs.iptables ]; path = [ pkgs.iptables ];
after = [ "systemd-modules-load.service" ]; # FIXME: this module may also try to load kernel modules, but
# containers don't have CAP_SYS_MODULE. So the host system had
# better have all necessary modules already loaded.
unitConfig.ConditionCapability = "CAP_NET_ADMIN";
preStart = serviceConfig.Type = "oneshot";
serviceConfig.RemainAfterExit = true;
script =
'' ''
${helpers} ${helpers}

2
pkgs/top-level/all-packages.nix
View file

@ -9927,7 +9927,7 @@ let
hsetroot = callPackage ../tools/X11/hsetroot { }; hsetroot = callPackage ../tools/X11/hsetroot { };
kde4 = recurseIntoAttrs pkgs.kde411; kde4 = recurseIntoAttrs pkgs.kde412;
kde4_next = recurseIntoAttrs( lib.lowPrioSet pkgs.kde412 ); kde4_next = recurseIntoAttrs( lib.lowPrioSet pkgs.kde412 );