Hi Jan, I added a few more people to Cc. On Fri, Feb 28, 2025 at 09:59:35PM +0100, Jan Engelhardt wrote: > There is a customer request (bugreport) for wanting to trivially load a ruleset > from a well-known location on boot, forwarded to me by M. Gerstner. A systemd > service unit is hereby added to provide that functionality. This is based on > various distributions attempting to do same, cf. > > https://src.fedoraproject.org/rpms/nftables/tree/rawhide > https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/nftables/nftables.initd > https://gitlab.archlinux.org/archlinux/packaging/packages/nftables Any chance to Cc these maintainers too? Given this is closer to downstream than upstream, I would like to understand if this could cause any hypothetical interference with distro packagers. Only subtle nitpick I see with this patch is that INSTALL file is not updated to provide information on how to use --with-unitdir=. Thanks. > Cc: Matthias Gerstner <matthias.gerstner@xxxxxxxx> > --- > .gitignore | 1 + > Makefile.am | 16 ++++++++++++---- > configure.ac | 10 ++++++++++ > files/nftables/main.nft | 24 ++++++++++++++++++++++++ > tools/nftables.service.8 | 18 ++++++++++++++++++ > tools/nftables.service.in | 21 +++++++++++++++++++++ > 6 files changed, 86 insertions(+), 4 deletions(-) > create mode 100644 files/nftables/main.nft > create mode 100644 tools/nftables.service.8 > create mode 100644 tools/nftables.service.in > > diff --git a/.gitignore b/.gitignore > index a62e31f3..f92187ef 100644 > --- a/.gitignore > +++ b/.gitignore > @@ -14,6 +14,7 @@ autom4te.cache > build-aux/ > libnftables.pc > libtool > +tools/nftables.service > > # cscope files > /cscope.* > diff --git a/Makefile.am b/Makefile.am > index fb64105d..050991f4 100644 > --- a/Makefile.am > +++ b/Makefile.am > @@ -375,18 +375,19 @@ dist_pkgdata_DATA = \ > files/nftables/netdev-ingress.nft \ > $(NULL) > > -pkgdocdir = ${docdir}/examples > +exampledir = ${docdir}/examples > > -dist_pkgdoc_SCRIPTS = \ > +dist_example_SCRIPTS = \ > files/examples/ct_helpers.nft \ > files/examples/load_balancing.nft \ > files/examples/secmark.nft \ > files/examples/sets_and_maps.nft \ > $(NULL) > > -pkgsysconfdir = ${sysconfdir}/nftables/osf > +pkgsysconfdir = ${sysconfdir}/${PACKAGE} > +osfdir = ${pkgsysconfdir}/osf > > -dist_pkgsysconf_DATA = \ > +dist_osf_DATA = \ > files/osf/pf.os \ > $(NULL) > > @@ -410,3 +411,10 @@ EXTRA_DIST += \ > > pkgconfigdir = $(libdir)/pkgconfig > pkgconfig_DATA = libnftables.pc > +unit_DATA = tools/nftables.service > +man_MANS = tools/nftables.service.8 > +doc_DATA = files/nftables/main.nft > + > +tools/nftables.service: tools/nftables.service.in ${top_builddir}/config.status > + ${AM_V_GEN}${MKDIR_P} tools > + ${AM_V_at}sed -e 's|@''sbindir''@|${sbindir}|g;s|@''pkgsysconfdir''@|${pkgsysconfdir}|g' <${srcdir}/tools/nftables.service.in >$@ > diff --git a/configure.ac b/configure.ac > index 80a64813..64a164e5 100644 > --- a/configure.ac > +++ b/configure.ac > @@ -114,6 +114,16 @@ AC_CHECK_DECLS([getprotobyname_r, getprotobynumber_r, getservbyport_r], [], [], > #include <netdb.h> > ]]) > > +AC_ARG_WITH([unitdir], > + [AS_HELP_STRING([--with-unitdir=PATH], [Path to systemd service unit directory])], > + [unitdir="$withval"], > + [ > + unitdir=$("$PKG_CONFIG" systemd --variable systemdsystemunitdir 2>/dev/null) > + AS_IF([test -z "$unitdir"], [unitdir='${prefix}/lib/systemd/system']) > + ]) > +AC_SUBST([unitdir]) > + > + > AC_CONFIG_FILES([ \ > Makefile \ > libnftables.pc \ > diff --git a/files/nftables/main.nft b/files/nftables/main.nft > new file mode 100644 > index 00000000..8e62f9bc > --- /dev/null > +++ b/files/nftables/main.nft > @@ -0,0 +1,24 @@ > +#!/usr/sbin/nft -f > + > +# template static firewall configuration file > +# > +# copy this over to /etc/nftables/rules/main.nft as a starting point for > +# configuring a rule set which will be loaded by nftables.service. > + > +flush ruleset > + > +table inet filter { > + chain input { > + type filter hook input priority filter; > + } > + chain forward { > + type filter hook forward priority filter; > + } > + chain output { > + type filter hook output priority filter; > + } > +} > + > +# this can be used to split the rule set into multiple smaller files concerned > +# with specific topics, like forwarding rules > +#include "/etc/nftables/rules/forwarding.nft" > diff --git a/tools/nftables.service.8 b/tools/nftables.service.8 > new file mode 100644 > index 00000000..4a83b01c > --- /dev/null > +++ b/tools/nftables.service.8 > @@ -0,0 +1,18 @@ > +.TH nftables.service 8 "" "nftables" "nftables admin reference" > +.SH Name > +nftables.service \(em Static Firewall Configuration with nftables.service > +.SH Description > +An nftables systemd service is provided which allows to setup static firewall > +rulesets based on a configuration file. > +.PP > +To use this service, you need to create the main configuration file in > +/etc/nftables/rules/main.nft. A template for this can be copied from > +/usr/share/doc/nftables/main.nft. The static firewall configuration can be > +split up into multiple files which are included from the main.nft > +configuration file. > +.PP > +Once the desired static firewall configuration is in place, it can be tested by > +running `systemctl start nftables.service`. To enable the service at boot time, > +run `systemctl enable nftables.service`. > +.SH See also > +\fBnft\fP(8) > diff --git a/tools/nftables.service.in b/tools/nftables.service.in > new file mode 100644 > index 00000000..8d94e0fc > --- /dev/null > +++ b/tools/nftables.service.in > @@ -0,0 +1,21 @@ > +[Unit] > +Description=nftables static rule set > +Documentation=nftables.service(8) > +Wants=network-pre.target > +Before=network-pre.target shutdown.target > +Conflicts=shutdown.target > +DefaultDependencies=no > +ConditionPathExists=@pkgsysconfdir@/rules/main.nft > + > +[Service] > +Type=oneshot > +RemainAfterExit=yes > +StandardInput=null > +ProtectSystem=full > +ProtectHome=true > +ExecStart=@sbindir@/nft -f @pkgsysconfdir@/rules/main.nft > +ExecReload=@sbindir@/nft -f @pkgsysconfdir@/rules/main.nft > +ExecStop=@sbindir@/nft flush ruleset > + > +[Install] > +WantedBy=sysinit.target > -- > 2.48.1 >
