Re: Ordering dependency on device unit not working

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

On 13.08.2023 22:37, Ian Pilcher wrote:

I am attempting to create a service that will load device-specific
netfilter rules after the corresponding device has been created (bonds,
VLANs, etc.).

Here is my current attempt.

   [Unit]
   Description=Apply device-specific nftables rules for %I
   Wants=sys-devices-virtual-net-%I.device nftables.service
   After=sys-devices-virtual-net-%I.device

   [Service]
   Type=oneshot
   ProtectSystem=full
   ProtectHome=true
   ExecStart=/sbin/nft -f /etc/sysconfig/nftables-%I.conf
   RemainAfterExit=yes

   [Install]
   WantedBy=multi-user.target


But the service is still being started too early, despite its ordering
dependency on the device unit.

   # systemctl status late-nftables@bond0.256.service
   × late-nftables@bond0.256.service - Apply device-specific nftables
rules for bond0.256
        Loaded: loaded (/etc/systemd/system/late-nftables@.service;
enabled; preset: disabled)
        Active: failed (Result: exit-code) since Sun 2023-08-13 13:52:49
CDT; 29min ago
       Process: 525 ExecStart=/sbin/nft -f
/etc/sysconfig/nftables-bond0.256.conf (code=exited, status=1/FAILURE)
      Main PID: 525 (code=exited, status=1/FAILURE)
           CPU: 45ms

   Aug 13 13:52:49 firewall.penurio.us nft[525]: In file included from
/etc/sysconfig/nftables-bond0.256.conf:1:1-37:
   Aug 13 13:52:49 firewall.penurio.us nft[525]:
/etc/nftables/fail2ban.nft:12:8-15: Error: Could not process rule: No
such file or directory
   Aug 13 13:52:49 firewall.penurio.us nft[525]:         chain FAIL2BAN {
   Aug 13 13:52:49 firewall.penurio.us nft[525]:               ^^^^^^^^
   Aug 13 13:52:49 firewall.penurio.us systemd[1]:
late-nftables@bond0.256.service: Main process exited, code=exited,
status=1/FAILURE
   Aug 13 13:52:49 firewall.penurio.us systemd[1]:
late-nftables@bond0.256.service: Failed with result 'exit-code'.
   Aug 13 13:52:49 firewall.penurio.us systemd[1]: Failed to start Apply
device-specific nftables rules for bond0.256.

   # systemctl status late-nftables@bond0.256.service
   ● sys-devices-virtual-net-bond0.256.device -
/sys/devices/virtual/net/bond0.256
I suspect name escaping issue. bond0.256 contains dot, so the unit name must be escaped. Try %i instead. 


        Loaded: loaded
        Active: active (plugged) since Sun 2023-08-13 13:52:51 CDT; 31min ago
         Until: Sun 2023-08-13 13:52:51 CDT; 31min ago
        Device: /sys/devices/virtual/net/bond0.256

The device unit has been "active (plugged) since Sun 2023-08-13 13:52:51
CDT", but the service failed at 13:52:49, 2 seconds earlier.

What am I missing?
[Index of Archives]     [LARTC]     [Bugtraq]     [Yosemite Forum]     [Photo]

  Powered by Linux