Hi netfilter community, Patrick McHardy ask me to submit our work on systemd support for nftables (https://github.com/devkid/nftables-systemd) It currently consists of a service file for systemd and a script to load/remove nftables rules. The script does more than actually needed for fundamental systemd support. It allows to test rules: $ nftablesctl start --confirm which resets after 20s if you accidentally kill your ssh connection. It allows to list all rules with one command: $ nftables list Instead of storing all rules in a single file (/etc/nftables.conf), it applys all files ending with .rules from directory /etc/nftables/ in lexical order, which make it more useful for configuration management like chef/puppet/ansible, where generating a single file from multiple modules is a pain. So the question is the nftables project wants such a script. If you are just looking for a systemd service the following approach would be much easier: [Unit] Description=Netfilter Tables Documentation=man:nft(8) Wants=network-pre.target Before=network-pre.target [Service] Type=oneshot ExecStart=/usr/bin/nft -f /etc/nftables.conf ExecStop=/usr/lib/systemd/scripts/nftables-flush RemainAfterExit=yes [Install] WantedBy=multi-user.target where /usr/lib/systemd/scripts/nftables-flush would just drop all rules
Attachment:
pgpTJ6rksDPbV.pgp
Description: OpenPGP digital signature
