diff --git a/README.SUSE b/README.SUSE new file mode 100644 index 0000000..4e10b39 --- /dev/null +++ b/README.SUSE @@ -0,0 +1,15 @@ +Static Firewall Configuration with nftables.service +=================================================== + +SUSE provides an nftables systemd service which allows to setup simple static +firewall rule sets based on configuration files. + +To use this service you need to create the main configuration file in +/etc/nftables/rules/main.nft. A simple template for this can be copied from +/usr/etc/nftables/rules/main.nft. You can split-up the static firewall +configuration into multiple files which are included from the main.nft +configuration file. + +Once the desired static firewall configuration is in place you can test it by +running `systemctl start nftables.service`. To enable the service at boot time +run `systemctl enable nftables.service`. diff --git a/main.nft b/main.nft new file mode 100755 index 0000000..66fcdc3 --- /dev/null +++ b/main.nft @@ -0,0 +1,24 @@ +#!/usr/sbin/nft -f + +# template static firewall configuration file +# +# copy this over to /etc/nftables/rules/main.nft as a starting point for +# configuring a rule set which will be loaded by nftables.service. + +flush ruleset + +table inet filter { + chain input { + type filter hook input priority filter; + } + chain forward { + type filter hook forward priority filter; + } + chain output { + type filter hook output priority filter; + } +} + +# this can be used to split the rule set into multiple smaller files concerned +# with specific topics, like forwarding rules +#include "/etc/nftables/rules/forwarding.nft" diff --git a/nftables.changes b/nftables.changes index 2794039..e76d9e9 100644 --- a/nftables.changes +++ b/nftables.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Feb 27 11:59:54 UTC 2025 - Matthias Gerstner + +- implement nftables.service for static firewall configurations (bsc#1237277). + It seems users are missing this service which is not part of the upstream + project but present in most other Linux distributions. It allows to setup + simple static nftables based firewalls via configuration files. + ------------------------------------------------------------------- Thu Oct 3 07:00:54 UTC 2024 - Jan Engelhardt diff --git a/nftables.service b/nftables.service new file mode 100644 index 0000000..9debfe6 --- /dev/null +++ b/nftables.service @@ -0,0 +1,22 @@ +[Unit] +Description=nftables static rule set +Documentation=file:/usr/share/doc/packages/nftables/README.SUSE +Wants=network-pre.target +Before=network-pre.target shutdown.target +Conflicts=shutdown.target +DefaultDependencies=no +AssertPathExists=/etc/nftables/rules/main.nft + +[Service] +Type=oneshot +RemainAfterExit=yes +StandardInput=null +ProtectSystem=full +ProtectHome=true +AssertPathExists=/etc/nftables/rules/main.nft +ExecStart=/usr/sbin/nft -f /etc/nftables/rules/main.nft +ExecReload=/usr/sbin/nft -f /etc/nftables/rules/main.nft +ExecStop=/usr/sbin/nft flush ruleset + +[Install] +WantedBy=sysinit.target diff --git a/nftables.spec b/nftables.spec index 4dce635..1d58fcb 100644 --- a/nftables.spec +++ b/nftables.spec @@ -33,6 +33,9 @@ Source: http://ftp.netfilter.org/pub/%name/%name-%version.tar.xz Source2: http://ftp.netfilter.org/pub/%name/%name-%version.tar.xz.sig Source3: %name.keyring Source4: nftables.rpmlintrc +Source5: main.nft +Source6: nftables.service +Source7: README.SUSE BuildRequires: %{python_module pip} BuildRequires: %{python_module setuptools} BuildRequires: %{python_module wheel} @@ -112,6 +115,7 @@ popd pushd py %pyproject_wheel popd +cp %{SOURCE7} . %install b="%buildroot" @@ -124,15 +128,38 @@ rm -f "%buildroot/%_libdir"/*.la mkdir -p "$b/%_docdir/%name/examples" mv -v "$b/%_datadir/nftables"/*.nft "$b/%_docdir/%name/examples/" +# create directories and install files for static firewall setup via nftables.service +install -D -d -m 0755 $b/%{_sysconfdir}/nftables/rules $b/%{_distconfdir}/nftables/rules $b/%{_unitdir} +install -m 0755 %{SOURCE5} $b/%{_distconfdir}/nftables/rules/ +install -m 0644 %{SOURCE6} $b/%{_unitdir}/ + %ldconfig_scriptlets -n libnftables1 +%pre +%service_add_pre nftables.service + +%post +%service_add_post nftables.service + +%preun +%service_del_preun nftables.service + +%postun +%service_del_postun nftables.service + %files %license COPYING %_sysconfdir/nftables/ +%_sysconfdir/nftables/rules %_sbindir/nft %_mandir/man5/*.5* %_mandir/man8/nft* %_docdir/%name/ +%doc README.SUSE +%_distconfdir/nftables +%_distconfdir/nftables/rules +%_distconfdir/nftables/rules/main.nft +%_unitdir/nftables.service %files -n libnftables1 %_libdir/libnftables.so.1*