On Sat, Mar 10, 2018 at 02:19:33PM +0100, Arturo Borrero Gonzalez wrote:
> On 10 March 2018 at 09:28, Duncan Roe <duncan_roe@xxxxxxxxxxxxxxx> wrote:
> >
# > Up to Release 0.8.2, it used to be the case that after *make install*, these
> > example files would show up in /etc/nftables.
> >
> > Now they don't.
> >
> > I think this is a regression which needs to be addressed,
>
> We wanted to provide a collection of examples of what nftables can do,
> for people who may be external to the project.
> More examples may be added in the short term, I would like to see that
> directory full of nft scripts.
>
> I'm not sure if we should install all of them to /etc/ with make
> install. Any proposal?
Hi Arturo,
Your question deserves a well-considered response.
I'm still trying to get my head around one, but in the meantime, since it's been
a week since your post, here are some initial observations.
My initial reaction was that if /etc disappears then distributors are unlikely
to replace it. Unless they do, the example files will never get to their target
audience.
I suggest an absolute minimum action would be to restore /etc as-was before the
next release.
I say release because most of the time that's what a distributor will use. I'm
thinking in particular of the upcoming Slackware 15.0. Slackware 14.2 came with
nftables-0.6, about 18 months ago.
My concern is, we need to help steer new nftables users in a good direction. I
think we need a README in /etc at least.
For the original files (with the addition of netdev-ingress), README should
make it clear that these are *templates*. Actually I would re-format them to
look the way "nft list ruleset" displays them, e.g.:
> 11:36:51# cat ipv4-filter
> #! /usr/sbin/nft -f
>
> table filter {
> chain input { type filter hook input priority 0; }
> chain forward { type filter hook forward priority 0; }
> chain output { type filter hook output priority 0; }
> }
> 11:42:33# ./ipv4-filter
> 11:42:41# nft list ruleset
> table ip filter {
> chain input {
> type filter hook input priority 0; policy accept;
> }
>
> chain forward {
> type filter hook forward priority 0; policy accept;
> }
>
> chain output {
> type filter hook output priority 0; policy accept;
> }
> }
For this demo I chmod'd a+x ipv4-filter. But I would caution against
distributing the files with execute access. We don't want to encourage people to
use them as-is, because adding a rule afterwards is cumbersome compared to
adding it before the trailing curly bracket of its chain. If you use the output
from nft list ruleset as the template, you could insert a comment like "# insert
rules here" after each "type" line. I'm not advocating to do that - it's just a
suggestion.
Moving up from the reinstate as-was option, these old files and netdev-ingress
form a set of chain templates. I think this tree structure would suit well:
/etc/chain_templates/{*-filter,*-mangle,*-nat,*-raw,*-ingress,README}
I'll have to leave the other new files for discussion in another email,
Cheers ... Duncan.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
