On 19/07/19 12:31 pm, Trent W. Buck wrote:
Hi, I've just started experimenting with nft instead of iptables-restore.
AFAICT the "include" directive reads exactly one file.
I want to include a whole directory at once, so
that individual packages can "drop in" rules.
I have put this in /etc/nftables.conf
include /etc/nftables.d/*.nft
And it works.
From man page: (man nft)
Include statements support the usual shell wildcard symbols (\*,?,[]).
Having no matches for an include statement is not an error, if wildcard
symbols are used in the include statement. This allows having
potentially empty include directories for statements like include
"/etc/firewall/rules/". The wildcard matches are loaded in alphabetical
order. Files beginning with dot (.) are not matched by include statements.
PS: Btw, I would *never* like a package taking control over my firewall
rules. So this should definitely *not* be default. Whoever wants it can
simply add include directive in their nftables.conf file.
Regards,
Amish
