The systemd unit has historically always used DefaultDependencies=no.
When only Before=network.target was used, the dependencies (as seen with
'systemctl list-dependencies ufw.service') were:
ufw.service
|_system.slice
When Before=network.target was changed to Before=network-pre.target and
Wants=network-pre.target, this became:
ufw.service
|_system.slice
|_network-pre.target
Removing DefaultDependencies=no (DefaultDependencies defaults to 'yes')
pulls in the sysinit.target which changes this to (on a Debian 11
system):
While ufw is meant to come up before networking, there is no reason why
it shouldn't come up after 'basic system initialization is
completed'[1]. This should help make ufw startup more robust on systems
that need something from sysinit.
systemd.example: add Conflicts on various firewall software
Problems with ufw start most often have to do with other firewall
software getting in the way. Take a page from firewalld's systemd unit
and add a Conflicts on iptables, ip6tables, nftables and firewalld
src/ufw-init-functions: set default policy after loading rules
If default input policy of DROP (default setting in ufw) is set
before loading rules to allow a network root filesystem to work,
it freezes before loading them, and the boot process stalls.
Just set default policy after loading rules, as the snippet for
ip[6]tables-restore has -n/--noflush, which doesn't flush other
rules in the builtin chains.
The output of iptables -L is identical before/after.
tests/check-requirements: revert 29c210e5 (too lenient) and update for 3.9
For a distribution it is arguably ok to modify this script for arbitrary
python versions but as an upstream it represents what it has been tested
against.