Arch Linux

Please read this before reporting a bug:

Do NOT report bugs when a package is just outdated, or it is in the AUR. Use the 'flag out of date' link on the package page, or the Mailing List.

REPEAT: Do NOT report bugs for outdated packages!

FS#33478 - [iptables] should be started as early as possible

Attached to Project: Arch Linux
Opened by Pierre Buard (Gilrain) - Sunday, 20 January 2013, 17:02 GMT
Last edited by Doug Newgard (Scimmia) - Thursday, 21 April 2016, 19:04 GMT
Task Type Bug Report
Category Packages: Core
Status Closed
Assigned To Ronald van Haren (pressh)
Architecture All
Severity High
Priority Normal
Reported Version
Due in Version Undecided
Due Date Undecided
Percent Complete 100%
Votes 21
Private No


To insure the firewall rules are setup before any sockets are made available, it must be started before
Please add the following line to the [Unit] section of both service files:

Additional info:
* iptables
* systemd bug report establishing the new guideline: <>
This task depends upon

Closed by  Doug Newgard (Scimmia)
Thursday, 21 April 2016, 19:04 GMT
Reason for closing:  Fixed
Additional comments about closing:  iptables 1.6.0-1
Comment by Pierre Buard (Gilrain) - Friday, 08 February 2013, 16:49 GMT
If you're in need of inspiration, take a look at the UFW service file: <>.
It was amended with the necessary systemd magic (see <>) and has been working perfectly on my computers ever since.
Comment by Olivier Brunel (jjacky) - Monday, 18 February 2013, 12:09 GMT
Here's a patch that adds as well as the DefaultDependencies=no to both service files.
Comment by Doru Georgescu (doru001) - Saturday, 13 July 2013, 15:11 GMT
This is my proposition for /usr/lib/systemd/system/iptables.service, inspired by, I mention that there should be instead of sysinit.service in 0001-Ensure-it-starts-before-sockets-are-made-available-F.patch attachment to the previous comment.
Comment by Olivier Brunel (jjacky) - Sunday, 14 July 2013, 10:54 GMT
Right, sorry about that. Here's a fixed patch.
Comment by Jakub Klinkovský (lahwaacz) - Thursday, 25 July 2013, 18:40 GMT
Using in this case would be wrong, it breaks dependencies between targets. Note that iptables.service is, is started after I think the correct way to do this is by placing iptables.service into, which is started after but before All services configuring network interfaces are in, so is necessarily started after
Comment by Jakub Klinkovský (lahwaacz) - Thursday, 25 July 2013, 18:51 GMT
Here's the proposed iptables.service
Comment by Doru Georgescu (doru001) - Friday, 26 July 2013, 12:13 GMT
Before does not mean RequiredBy (they are orthogonal, see man systemd.unit). After you work it out, you are welcome to the unhappy chorus: On my system iptables is started because it is enabled, not because it is wanted by
Comment by Christian Hesse (eworm) - Thursday, 12 June 2014, 09:11 GMT
With systemd-214-1 we have for this.
Comment by Christian Hesse (eworm) - Thursday, 12 June 2014, 09:22 GMT
From systemd documentation:

> Firewall services should order themselves Before=, and
> declare a RequiredBy= relation to
> Once enabled, their failure to start will impede network
> communication, avoiding dangerous leaks.

Patch is attached.
Comment by Leonid Isaev (lisaev) - Thursday, 12 June 2014, 16:34 GMT
Christian, shouldn't RequiredBy= go into [Install] section [1]? Also, I don't think that RequiredBy= is the upstream recommendation [2] (not that I am agreeing with them).


So, I would personally go with what was proposed in [1]...
Comment by Tobias Hunger (hunger) - Wednesday, 25 June 2014, 21:15 GMT
Now that systemd 214 is in the archives: Shouldn't this get started in the new

The release announcement gives firewall scripts as an example for this target.

Sorry for the noise, I only now noticed that this is exactly what the latest version of the patch does:-/
Comment by Joakim Hernberg (jhernberg) - Monday, 18 August 2014, 02:08 GMT
Any reason this isn't done yet?
Comment by Chris (snakeroot) - Monday, 03 November 2014, 19:12 GMT
In the patch, shouldn't you add:


IOW, RequiredBy goes in the install section. See upstream bug report .
Comment by Szunti (Szunti) - Thursday, 15 January 2015, 11:09 GMT
Just want to add again that
sais you should use Wants, RequiredBy doesn't work without anything pulling the target in.

Comment by Ingo Albrecht (indigo) - Tuesday, 31 March 2015, 22:41 GMT
The above is also matched by [1] which fixed the same for nftables last year.

A new iptables release was shipped today without it. Is there a reason why?

Comment by Joakim Hernberg (jhernberg) - Wednesday, 01 April 2015, 07:01 GMT
I'm also wondering what's up with this, why no resolution for so long?

Can we finally please get this done?
Comment by Joakim Hernberg (jhernberg) - Wednesday, 26 August 2015, 13:07 GMT
This still isn't implemented in the repos.. Please fix!
Comment by Patrick Brauer (mercora) - Wednesday, 17 February 2016, 16:26 GMT
its 3 years later now... still nothing happend? Is there anything missing i could help with?