Start firewall rules before network is brought up.

Forwarded: https://github.com/evilsocket/opensnitch/pull/1019
Last-Update: 2025-04-20

Also protect the firewall daemon from the kernel OOM killer.  Partly
based on proposal from
https://github.com/evilsocket/opensnitch/pull/1019/.

Gbp-Pq: Name 1030-systemd-service-earlier.patch

diff --git a/daemon/opensnitchd.service b/daemon/opensnitchd.service
index 3f05fad2641f8700eb57d609daccc2ddb1a96f6e..3bfd94d6bf3ad33c638cd762fca4e46d90a70338 100644 (file)
--- a/daemon/opensnitchd.service
+++ b/daemon/opensnitchd.service
@@ -1,6 +1,10 @@
 [Unit]
 Description=Application firewall OpenSnitch
 Documentation=https://github.com/evilsocket/opensnitch/wiki
+DefaultDependencies=no
+Before=network-pre.target shutdown.target
+Wants=network-pre.target
+Conflicts=shutdown.target
 
 [Service]
 Type=simple
@@ -10,6 +14,9 @@ ExecStart=/usr/local/bin/opensnitchd -rules-path /etc/opensnitchd/rules
 Restart=always
 RestartSec=30
 TimeoutStopSec=10
+# Ensure it is not killed by the Linux kernel's Out-Of-Memory (OOM) killer.
+# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#OOMScoreAdjust=
+OOMScoreAdjust=-1000
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target