ahill/nftables
1
0
Fork 0
mirror of https://git.netfilter.org/nftables synced 2026-01-26 10:34:27 +00:00
Code Issues Packages Projects Releases Wiki Activity

tools: add a systemd unit for static rulesets

Browse Source 
There is a customer request (bugreport) for wanting to trivially load a ruleset
from a well-known location on boot, forwarded to me by M. Gerstner. A systemd
service unit is hereby added to provide that functionality. This is based on
various distributions attempting to do same, for example,

https://src.fedoraproject.org/rpms/nftables/tree/rawhide
https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/nftables/nftables.initd
https://gitlab.archlinux.org/archlinux/packaging/packages/nftables
Acked-by: Eric Garver <eric@garver.life>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
This commit is contained in:
Jan Engelhardt 2025-04-17 16:48:33 +02:00 committed by Pablo Neira Ayuso
parent f8701ae760
commit c4b17cf830
6 changed files with 90 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

6
INSTALL
View File

@ -42,6 +42,12 @@ Installation instructions for nftables
The base directory for arch-independent files. Defaults to The base directory for arch-independent files. Defaults to
$prefix/share. $prefix/share.
--with-unitdir=
Directory for systemd unit files. Defaults to the value obtained from
pkg-config for systemd.pc, and ${prefix}/lib/systemd/system as a
fallback.
--disable-debug --disable-debug
Disable debugging Disable debugging

16
Makefile.am
View File

@ -377,18 +377,19 @@ dist_pkgdata_DATA = \
files/nftables/netdev-ingress.nft \ files/nftables/netdev-ingress.nft \
$(NULL) $(NULL)
pkgdocdir = ${docdir}/examples exampledir = ${docdir}/examples
dist_pkgdoc_SCRIPTS = \ dist_example_SCRIPTS = \
files/examples/ct_helpers.nft \ files/examples/ct_helpers.nft \
files/examples/load_balancing.nft \ files/examples/load_balancing.nft \
files/examples/secmark.nft \ files/examples/secmark.nft \
files/examples/sets_and_maps.nft \ files/examples/sets_and_maps.nft \
$(NULL) $(NULL)
pkgsysconfdir = ${sysconfdir}/nftables/osf pkgsysconfdir = ${sysconfdir}/${PACKAGE}
osfdir = ${pkgsysconfdir}/osf
dist_pkgsysconf_DATA = \ dist_osf_DATA = \
files/osf/pf.os \ files/osf/pf.os \
$(NULL) $(NULL)
@ -412,3 +413,10 @@ EXTRA_DIST += \
pkgconfigdir = $(libdir)/pkgconfig pkgconfigdir = $(libdir)/pkgconfig
pkgconfig_DATA = libnftables.pc pkgconfig_DATA = libnftables.pc
unit_DATA = tools/nftables.service
man_MANS = tools/nftables.service.8
doc_DATA = files/nftables/main.nft
tools/nftables.service: tools/nftables.service.in ${top_builddir}/config.status
${AM_V_GEN}${MKDIR_P} tools
${AM_V_at}sed -e 's|@''sbindir''@|${sbindir}|g;s|@''pkgsysconfdir''@|${pkgsysconfdir}|g' <${srcdir}/tools/nftables.service.in >$@

13
configure.ac
View File

@ -114,6 +114,16 @@ AC_CHECK_DECLS([getprotobyname_r, getprotobynumber_r, getservbyport_r], [], [],
#include <netdb.h> #include <netdb.h>
]]) ]])
AC_ARG_WITH([unitdir],
[AS_HELP_STRING([--with-unitdir=PATH], [Path to systemd service unit directory])],
[unitdir="$withval"],
[
unitdir=$("$PKG_CONFIG" systemd --variable systemdsystemunitdir 2>/dev/null)
AS_IF([test -z "$unitdir"], [unitdir='${prefix}/lib/systemd/system'])
])
AC_SUBST([unitdir])
AC_CONFIG_FILES([ \ AC_CONFIG_FILES([ \
Makefile \ Makefile \
libnftables.pc \ libnftables.pc \
@ -127,4 +137,5 @@ nft configuration:
use mini-gmp: ${with_mini_gmp} use mini-gmp: ${with_mini_gmp}
enable man page: ${enable_man_doc} enable man page: ${enable_man_doc}
libxtables support: ${with_xtables} libxtables support: ${with_xtables}
json output support: ${with_json}" json output support: ${with_json}
systemd unit: ${unitdir}"

22
files/nftables/main.nft Normal file
View File

@ -0,0 +1,22 @@
#!/usr/sbin/nft -f
# template static firewall configuration file
#
# copy this over to /etc/nftables/rules/main.nft as a starting point for
# configuring a rule set which will be loaded by nftables.service.
table inet filter {
chain input {
type filter hook input priority filter;
}
chain forward {
type filter hook forward priority filter;
}
chain output {
type filter hook output priority filter;
}
}
# this can be used to split the rule set into multiple smaller files concerned
# with specific topics, like forwarding rules
#include "/etc/nftables/rules/forwarding.nft"

17
tools/nftables.service.8 Normal file
View File

@ -0,0 +1,17 @@
.TH nftables.service 8 "" "nftables" "nftables admin reference"
.SH Name
nftables.service \(em Static Firewall Configuration with nftables.service
.SH Description
An nftables systemd service is provided which allows to setup static firewall
rulesets based on a configuration file.
.PP
To use this service, you need to create the main configuration file in
/etc/nftables/rules/main.nft. A template for this can be copied from
/usr/share/doc/nftables/main.nft. Alternatively, `nft list ruleset >main.nft`
could be used to save the active configuration (if any) to the file.
.PP
Once the desired static firewall configuration is in place, it can be tested by
running `systemctl start nftables.service`. To enable the service at boot time,
run `systemctl enable nftables.service`.
.SH See also
\fBnft\fP(8)

21
tools/nftables.service.in Normal file
View File

@ -0,0 +1,21 @@
[Unit]
Description=nftables static rule set
Documentation=man:nftables.service(8)
Wants=network-pre.target
Before=network-pre.target shutdown.target
Conflicts=shutdown.target
DefaultDependencies=no
ConditionPathExists=@pkgsysconfdir@/rules/main.nft
[Service]
Type=oneshot
RemainAfterExit=yes
StandardInput=null
ProtectSystem=full
ProtectHome=true
ExecStart=@sbindir@/nft 'flush ruleset; include "@pkgsysconfdir@/rules/main.nft"'
ExecReload=@sbindir@/nft 'flush ruleset; include "@pkgsysconfdir@/rules/main.nft"'
ExecStop=@sbindir@/nft flush ruleset
[Install]
WantedBy=sysinit.target