[PATCH] add systemd service file

Jörg Thalheim <joerg@xxxxxxxxxxxxx> · Thu, 18 Dec 2014 13:47:03 +0100

Signed-off-by: Jörg Thalheim <joerg@xxxxxxxxxxxxx>
---
 configure.ac                   | 34 ++++++++++++++++++++++++++++++++++
 files/Makefile.am              | 10 +++++++++-
 files/nftables.conf            |  7 +++++++
 files/nftables/nftables.conf   |  0
 files/systemd/Makefile.am      | 12 ++++++++++++
 files/systemd/nftables-reload  | 15 +++++++++++++++
 files/systemd/nftables.service | 12 ++++++++++++
 7 files changed, 89 insertions(+), 1 deletion(-)
 create mode 100644 files/nftables.conf
 create mode 100644 files/nftables/nftables.conf
 create mode 100644 files/systemd/Makefile.am
 create mode 100755 files/systemd/nftables-reload
 create mode 100644 files/systemd/nftables.service

diff --git a/configure.ac b/configure.ac
index 57ea99d..5adb223 100644
--- a/configure.ac
+++ b/configure.ac
@@ -13,6 +13,8 @@ AC_CONFIG_MACRO_DIR([m4])
 AM_INIT_AUTOMAKE([-Wall foreign subdir-objects
         tar-pax no-dist-gzip dist-bzip2 1.6])
 
+AC_PATH_TOOL(PKGCONFIG, pkg-config)
+
 dnl kernel style compile messages
 m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
 
@@ -112,6 +114,36 @@ AC_TYPE_UINT16_T
 AC_TYPE_UINT32_T
 AC_TYPE_UINT64_T
 
+AC_ARG_WITH(systemd, [  --with-systemd          set directory for
systemd service files],
+        [systemd_unitdir="$withval"; with_systemd=yes],
+        [systemd_unitdir=""; with_systemd=no])
+AC_SUBST(systemd_unitdir)
+
+AC_ARG_WITH(systemdutildir, [  --with-systemdutildir   set directory
for systemd helper scripts],
+        [systemd_utildir="$withval"], [systemd_utildir=""])
+AC_SUBST(systemd_utildir)
+
+AM_CONDITIONAL([INSTALL_SYSTEMD], [test "x$with_systemd" != xno])
+AM_COND_IF([INSTALL_SYSTEMD],
+       [AS_IF([test "x$PKGCONFIG" = "x"],
+             [AC_MSG_ERROR(Need pkg-config to enable systemd
support.)], +
+             [AC_MSG_CHECKING(for systemd)
+              AS_IF([$PKGCONFIG --exists systemd],
+                    [AC_MSG_RESULT(yes)
+                     AS_IF([$PKGCONFIG --exists systemd],
+                           [AS_IF([test "x$systemd_unit_dir" = "x"],
+                                  [ systemd_unitdir="`$PKGCONFIG
--variable=systemdsystemunitdir systemd`"])
+                            AS_IF([test "x$systemd_util_dir" = "x"],
+                                  [ systemd_utildir="`$PKGCONFIG
--variable=systemdutildir systemd`"])
+                           ])
+                    ]
+                    [AC_MSG_RESULT(no)])
+             ]
+
+       )]
+)
+
 # Checks for library functions.
 AC_CHECK_FUNCS([memmove memset strchr strdup strerror strtoull])
 
@@ -124,10 +156,12 @@
AC_CONFIG_FILES([					\
doc/Makefile				\
files/Makefile				\
files/nftables/Makefile			\
+		files/systemd/Makefile			\
 		])
 AC_OUTPUT
 
 echo "
 nft configuration:
   cli support:			${with_cli}
+  systemd support:		${with_systemd}
   enable debugging:		${with_debug}"
diff --git a/files/Makefile.am b/files/Makefile.am
index a8394c0..8045495 100644
--- a/files/Makefile.am
+++ b/files/Makefile.am
@@ -1 +1,9 @@
-SUBDIRS = nftables
+SUBDIRS =	nftables	\
+					systemd
+
+nftables_confdir = ${sysconfdir}
+nftables_conf_DATA = nftables.conf
+
+install-data-hook:
+	${SED} -i
's|@sbindir[@]|${sbindir}/|g;s|@sysconfdir[@]|${sysconfdir}/|g' \
+		${DESTDIR}${sysconfdir}/nftables.conf
diff --git a/files/nftables.conf b/files/nftables.conf
new file mode 100644
index 0000000..f572db5
--- /dev/null
+++ b/files/nftables.conf
@@ -0,0 +1,7 @@
+#! @sbindir@nft -f
+
+table inet filter {
+	chain input		{ type filter hook input priority
0; }
+	chain forward		{ type filter hook forward
priority 0; }
+	chain output		{ type filter hook output priority
0; } +}
diff --git a/files/nftables/nftables.conf b/files/nftables/nftables.conf
new file mode 100644
index 0000000..e69de29
diff --git a/files/systemd/Makefile.am b/files/systemd/Makefile.am
new file mode 100644
index 0000000..c0a56c8
--- /dev/null
+++ b/files/systemd/Makefile.am
@@ -0,0 +1,12 @@
+
+if INSTALL_SYSTEMD
+systemd_unit_DATA = nftables.service
+
+systemd_scriptsdir = ${systemd_utildir}/scripts
+systemd_scripts_SCRIPTS = nftables-reload
+
+install-data-hook:
+	${SED} -i
's|@sbindir[@]|${sbindir}/|g;s|@sysconfdir[@]|${sysconfdir}/|g;s|@systemd_scriptsdir[@]|${systemd_scriptsdir}/|g'
\
+		${DESTDIR}${systemd_scriptsdir}/nftables-reload \
+		${DESTDIR}${systemd_unitdir}/nftables.service
+endif
diff --git a/files/systemd/nftables-reload
b/files/systemd/nftables-reload new file mode 100755
index 0000000..d688cb6
--- /dev/null
+++ b/files/systemd/nftables-reload
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+set -e
+
+if [ ! -f @sysconfdir@xxxxxxxxxxxxx ]
+then
+  echo "/etc/nftables.conf does not exist" >&2
+  exit 1
+fi
+
+rules="$(mktemp nftables.XXXXXXXX)"
+trap "rm -f $tmpfile" 0 1 2 3 15
+echo "flush ruleset" > "$rules"
+cat @sysconfdir@xxxxxxxxxxxxx >> "$rules"
+@sbindir@nft -f "$rules"
diff --git a/files/systemd/nftables.service
b/files/systemd/nftables.service new file mode 100644
index 0000000..f958bfc
--- /dev/null
+++ b/files/systemd/nftables.service
@@ -0,0 +1,12 @@
+[Unit]
+Description=nftables
+Documentation=man:nft(8)
+
+[Service]
+RemainAfterExit=yes
+ExecStart=@sbindir@nft -I /etc/nftables -f /etc/nftables.conf
+ExecStop=@sbindir@nft flush ruleset
+ExecReload=@systemd_scriptsdir@nftables-reload
+
Attachment:
pgpGN9qLrosaM.pgp

Description: OpenPGP digital signature




