Hi, I've just started experimenting with nft instead of iptables-restore. AFAICT the "include" directive reads exactly one file. I want to include a whole directory at once, so that individual packages can "drop in" rules. For example, sshguard package currently runs an ExecStart= command, instead of using /etc/nftables.conf.d/50-sshguard.nft. Are there any plans to have something like this? Note that it's important to ignore things like "foo.nft.bak" and "foo.nft.~1~" and ".#foo.nft#", so just using glob/fnmatch is undesirable. Here is a draft workaround using run-parts --list, which I think is Debian-specific. /etc/systemd/system/nftables.service.d/override.conf: [Service] # Pre-expand out the rules ExecStartPre=/bin/sh -ec "if [ -e /etc/nftables.conf ]; then echo /etc/nftables.conf; fi >/run/nftables.conf" ExecStartPre=/bin/sh -ec "if [ -d /etc/nftables.conf.d ]; then run-parts --list /etc/nftables.conf.d; fi >>/run/nftables.conf" ExecStartPre=/bin/sed -i -e "s/.*/include \"&\" -- /run/nftables.conf" # Change what path nft -f gets ExecStart= ExecReload= ExecStart=/usr/sbin/nft --file=/run/nftables.conf ExecReload=/usr/sbin/nft --file=/run/nftables.conf
