How do you detect the leak? I haven't attempted to capture the leak.
> According to the same link you refer to, there is no established > network connectivity before network-online.target You've misinterpreted the reference. It is saying that services configuring interfaces must run **after** network-pre.target. It is also saying that services that contribute to the network being online must run **before** network-online.target. > qubes-firewall.service starts before network.target, i.e. even earlier: The services that contribute to the network being up run before network-online.target, which can also be before network.target. > I don't know if it is not possible (or necessary) to have it > Before=network-pre.target because the virtual interfaces (vif*) are > part of the nft rules. (See /etc/xen/scripts/vif-route-qubes) \ It is possible and necessary to have it before network-pre.target. In fact, it already can/does run before network-pre.target, it just isn't configured such that this is guaranteed. I have tested this and it works. If this is introducing some invisible problem, then you can create another service that only runs /rw/config/qubes-firewall-user-script. > I dont think this is a bug in practice, but you are right that it would > be better to do this. I do think it is a bug in practice. Doing things improperly because a path is unlikely to be encountered is bad. > In fact we have an open issue that covers this. -- You received this message because you are subscribed to the Google Groups "qubes-devel" group. To unsubscribe from this group and stop receiving emails from it, send an email to [email protected]. To view this discussion visit https://groups.google.com/d/msgid/qubes-devel/jWaw0fhI2MK8bLs9XlgW_DZqsyQ6cphLa8_M0fVKTRbeUG8FDOUKxTsZ5tjlej5_lMZznFhHS12DqZDVBgMAIbL14r1z_l-oNOHotD_wtw4%3D%40proton.me.
