-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA256 On Mon, Mar 24, 2025 at 06:18:18AM -0000, qubist wrote: > On Sun, 23 Mar 2025 23:51:07 +0100 Marek Marczykowski-Górecki wrote: > > > -----BEGIN PGP SIGNED MESSAGE----- > > Hash: SHA256 > > > > On Sun, Mar 23, 2025 at 11:32:52AM -0000, qubist wrote: > > > On Sun, 23 Mar 2025 06:40:23 +0000 'skiinglasso2' via qubes-devel wrote: > > > > > > [...] > > > user@sys-firewall:~ > systemctl cat qubes-firewall.service | grep Before > > > Before=qubes-network.service > > > [...] > > > > There is one more missing piece above: qubes-firewall.service is ordered > > before qubes-network.service. > > Missing?
Ah, indeed it's there. The thing about network-online.target is that it's ordered after network is up. This means anything that requires network to work, should be ordered after network-online.target. But there is no guarantee in the other direction - ordering stuff before network-online.target doesn't guarantee network is not up yet. For this theoretically there is network-pre.target as you mentioned later in your response. Adding Before=network-pre.target to qubes-firewall may work, but as explained in my response, it isn't really necessary. Note also that qubes-firewall is only about configuring firewall for forwarded traffic. Base firewall for the qube itself (input rules etc) is set in qubes-iptables.service and that has Before=network-pre.target. - -- Best Regards, Marek Marczykowski-Górecki Invisible Things Lab -----BEGIN PGP SIGNATURE----- iQEzBAEBCAAdFiEEhrpukzGPukRmQqkK24/THMrX1ywFAmfhQsQACgkQ24/THMrX 1yy4cgf+IxzsS+r1mpmz9q1XIMK+GYoyDpn+v0bnrgIS92kkeVd4V26SYooxn/Fh /5MJnf/UPDCyTpciSUjsXx9BhK2qhzpJJS8U6skWEawdpk4scAo8wNZH29CPhnXd tIFD+2peA/b/bF3G9wVckcCyYV+s8uBi7Vjh/p4JdNRfhSKsG/ukzUaDGzaEIcvG SRMdRQp2+LlWQshEZFBJbJlrDLOsvg4eiKy91EHuVFjRUClSZsh9JZdMl+e7i0aF gF5rQktrbRvOLVBoNZR5KXbOmVrOA9UsiR440HJXh0+TjvGO0uQbjy9R6PPLe4Jb YUBKryMoEBzZ61/09gAofh+OmRrDnw== =OtyS -----END PGP SIGNATURE----- -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to qubes-devel+unsubscr...@googlegroups.com. To view this discussion visit https://groups.google.com/d/msgid/qubes-devel/Z-FCxFlseccFUIgs%40mail-itl.
