From: Petter Reinholdtsen <pere@hungry.com>
Date: Tue, 20 May 2025 15:01:26 +0000 (+0000)
Subject: Start firewall rules before network is brought up.
X-Git-Tag: archive/raspbian/1.6.9-3+rpi1~5
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=08b2206b83e0e4c92292ff1fec088c51703bfa4f;p=opensnitch.git

Start firewall rules before network is brought up.

Forwarded: https://github.com/evilsocket/opensnitch/pull/1019
Last-Update: 2025-04-20

Also protect the firewall daemon from the kernel OOM killer.  Partly
based on proposal from
https://github.com/evilsocket/opensnitch/pull/1019/.

Gbp-Pq: Name 1030-systemd-service-earlier.patch
---

diff --git a/daemon/opensnitchd.service b/daemon/opensnitchd.service
index 3f05fad..3bfd94d 100644
--- a/daemon/opensnitchd.service
+++ b/daemon/opensnitchd.service
@@ -1,6 +1,10 @@
 [Unit]
 Description=Application firewall OpenSnitch
 Documentation=https://github.com/evilsocket/opensnitch/wiki
+DefaultDependencies=no
+Before=network-pre.target shutdown.target
+Wants=network-pre.target
+Conflicts=shutdown.target
 
 [Service]
 Type=simple
@@ -10,6 +14,9 @@ ExecStart=/usr/local/bin/opensnitchd -rules-path /etc/opensnitchd/rules
 Restart=always
 RestartSec=30
 TimeoutStopSec=10
+# Ensure it is not killed by the Linux kernel's Out-Of-Memory (OOM) killer.
+# https://www.freedesktop.org/software/systemd/man/systemd.exec.html#OOMScoreAdjust=
+OOMScoreAdjust=-1000
 
 [Install]
-WantedBy=multi-user.target
+WantedBy=basic.target