[systemd-devel] Ordering dependency on device unit not working

Ian Pilcher arequipeno at gmail.com
Sun Aug 13 19:37:10 UTC 2023 

I am attempting to create a service that will load device-specific
netfilter rules after the corresponding device has been created (bonds,
VLANs, etc.).

Here is my current attempt.

  [Unit]
  Description=Apply device-specific nftables rules for %I
  Wants=sys-devices-virtual-net-%I.device nftables.service
  After=sys-devices-virtual-net-%I.device

  [Service]
  Type=oneshot
  ProtectSystem=full
  ProtectHome=true
  ExecStart=/sbin/nft -f /etc/sysconfig/nftables-%I.conf
  RemainAfterExit=yes

  [Install]
  WantedBy=multi-user.target


But the service is still being started too early, despite its ordering
dependency on the device unit.

  # systemctl status late-nftables at bond0.256.service
  × late-nftables at bond0.256.service - Apply device-specific nftables 
rules for bond0.256
       Loaded: loaded (/etc/systemd/system/late-nftables at .service; 
enabled; preset: disabled)
       Active: failed (Result: exit-code) since Sun 2023-08-13 13:52:49 
CDT; 29min ago
      Process: 525 ExecStart=/sbin/nft -f 
/etc/sysconfig/nftables-bond0.256.conf (code=exited, status=1/FAILURE)
     Main PID: 525 (code=exited, status=1/FAILURE)
          CPU: 45ms

  Aug 13 13:52:49 firewall.penurio.us nft[525]: In file included from 
/etc/sysconfig/nftables-bond0.256.conf:1:1-37:
  Aug 13 13:52:49 firewall.penurio.us nft[525]: 
/etc/nftables/fail2ban.nft:12:8-15: Error: Could not process rule: No 
such file or directory
  Aug 13 13:52:49 firewall.penurio.us nft[525]:         chain FAIL2BAN {
  Aug 13 13:52:49 firewall.penurio.us nft[525]:               ^^^^^^^^
  Aug 13 13:52:49 firewall.penurio.us systemd[1]: 
late-nftables at bond0.256.service: Main process exited, code=exited, 
status=1/FAILURE
  Aug 13 13:52:49 firewall.penurio.us systemd[1]: 
late-nftables at bond0.256.service: Failed with result 'exit-code'.
  Aug 13 13:52:49 firewall.penurio.us systemd[1]: Failed to start Apply 
device-specific nftables rules for bond0.256.

  # systemctl status late-nftables at bond0.256.service
  ● sys-devices-virtual-net-bond0.256.device - 
/sys/devices/virtual/net/bond0.256
       Loaded: loaded
       Active: active (plugged) since Sun 2023-08-13 13:52:51 CDT; 31min ago
        Until: Sun 2023-08-13 13:52:51 CDT; 31min ago
       Device: /sys/devices/virtual/net/bond0.256

The device unit has been "active (plugged) since Sun 2023-08-13 13:52:51
CDT", but the service failed at 13:52:49, 2 seconds earlier.

What am I missing?

-- 
========================================================================
Google                                      Where SkyNet meets Idiocracy
========================================================================

More information about the systemd-devel mailing list