[systemd-devel] making firewalld an early boot service

[Michael Biebl]

Hi,

I need help with firewalld issue, specifically
https://github.com/firewalld/firewalld/issues/414

the TLDR: both firewalld.service and cloud-init-local.service hook
into network-pre.target and have a Before=network-pre.target ordering.

cloud-init-local.service is an early boot service using
DefaultDependencies=no and before sysinit.target.
firewalld.service via DefaultDependencies=yes get's an
After=sysinit.target ordering.

So we have conflicting requirements and a dependency loop that needs
to be broken by systemd.

I wonder if firewald should be turned into an early boot service as well.
Currently it looks like this:

[Unit]
Description=firewalld - dynamic firewall daemon
Before=network-pre.target
Wants=network-pre.target
After=dbus.service
After=polkit.service
Conflicts=iptables.service ip6tables.service ebtables.service
ipset.service nftables.service
Documentation=man:firewalld(1)

[Service]
...
[Install]
WantedBy=multi-user.target
Alias=dbus-org.fedoraproject.FirewallD1.service

I wonder if the following would make sense


[Unit]
Description=firewalld - dynamic firewall daemon
DefaultDependencies=no
Before=network-pre.target
Wants=network-pre.target
After=local-fs.target
Conflicts=iptables.service ip6tables.service ebtables.service
ipset.service nftables.service
Documentation=man:firewalld(1)

[Service]
...
[Install]
WantedBy=sysinit.target
Alias=dbus-org.fedoraproject.FirewallD1.service


I dropped the After=dbus.service polkit.service orderings, as they are
either socket or D-Bus activated services, added an explicit
After=local-fs.target ordering just to be sure and hooked it into
sysinit.target.

Would you agree that making a firewall service an early boot service
is a good idea?
Does the above make sense or have I missed something?

Feedback welcome.