Am 19.07.19 um 16:38 schrieb Amish: > On 19/07/19 12:31 pm, Trent W. Buck wrote: >> Hi, I've just started experimenting with nft instead of iptables-restore. >> AFAICT the "include" directive reads exactly one file. >> I want to include a whole directory at once, so >> that individual packages can "drop in" rules. > > I have put this in /etc/nftables.conf > > include /etc/nftables.d/*.nft > > And it works. > > From man page: (man nft) > > Include statements support the usual shell wildcard symbols (\*,?,[]). > Having no matches for an include statement is not an error, if wildcard > symbols are used in the include statement. This allows having > potentially empty include directories for statements like include > "/etc/firewall/rules/". The wildcard matches are loaded in alphabetical > order. Files beginning with dot (.) are not matched by include statements. > > PS: Btw, I would *never* like a package taking control over my firewall > rules. So this should definitely *not* be default. Whoever wants it can > simply add include directive in their nftables.conf file FWIW: when a package is touching "/etc/systemd/system" the packager needs a clap on his fingers, that's unconditional admin only terrirtory while the admin needs a clap on his fingers when he touchs /usr/lib/systemd/system which is package territory other than the initscript mess systemd is properly structured
