mirror of
https://github.com/SebastianWendel/nixpkgs.git
synced 2024-09-20 20:39:04 +02:00
Firewall: Only start if we have CAP_NET_ADMIN
This commit is contained in:
parent
4fb50f071f
commit
0a256cc0ee
|
@ -18,8 +18,6 @@
|
||||||
|
|
||||||
*/
|
*/
|
||||||
|
|
||||||
|
|
||||||
|
|
||||||
{ config, lib, pkgs, ... }:
|
{ config, lib, pkgs, ... }:
|
||||||
|
|
||||||
with lib;
|
with lib;
|
||||||
|
@ -266,16 +264,23 @@ in
|
||||||
message = "This kernel does not support disabling conntrack helpers"; }
|
message = "This kernel does not support disabling conntrack helpers"; }
|
||||||
];
|
];
|
||||||
|
|
||||||
jobs.firewall =
|
systemd.services.firewall =
|
||||||
{ description = "Firewall";
|
{ description = "Firewall";
|
||||||
|
|
||||||
startOn = "started network-interfaces";
|
wantedBy = [ "network.target" ];
|
||||||
|
after = [ "network-interfaces.target" "systemd-modules-load.service" ];
|
||||||
|
|
||||||
path = [ pkgs.iptables ];
|
path = [ pkgs.iptables ];
|
||||||
|
|
||||||
after = [ "systemd-modules-load.service" ];
|
# FIXME: this module may also try to load kernel modules, but
|
||||||
|
# containers don't have CAP_SYS_MODULE. So the host system had
|
||||||
|
# better have all necessary modules already loaded.
|
||||||
|
unitConfig.ConditionCapability = "CAP_NET_ADMIN";
|
||||||
|
|
||||||
preStart =
|
serviceConfig.Type = "oneshot";
|
||||||
|
serviceConfig.RemainAfterExit = true;
|
||||||
|
|
||||||
|
script =
|
||||||
''
|
''
|
||||||
${helpers}
|
${helpers}
|
||||||
|
|
||||||
|
|
|
@ -9927,7 +9927,7 @@ let
|
||||||
|
|
||||||
hsetroot = callPackage ../tools/X11/hsetroot { };
|
hsetroot = callPackage ../tools/X11/hsetroot { };
|
||||||
|
|
||||||
kde4 = recurseIntoAttrs pkgs.kde411;
|
kde4 = recurseIntoAttrs pkgs.kde412;
|
||||||
|
|
||||||
kde4_next = recurseIntoAttrs( lib.lowPrioSet pkgs.kde412 );
|
kde4_next = recurseIntoAttrs( lib.lowPrioSet pkgs.kde412 );
|
||||||
|
|
||||||
|
|
Loading…
Reference in a new issue