From 71d8541655679f249f4fbd99d287bcbbd0080331205a4d2729db218f5640d740 Mon Sep 17 00:00:00 2001
From: Matthias Gerstner <matthias.gerstner@suse.de>
Date: Thu, 27 Feb 2025 12:01:17 +0100
Subject: [PATCH] Implement nftables.service for static firewall configurations
 (bsc#1237277)

It seems users are missing this service which is not part of the
upstream project but present in most other Linux distributions. It
allows to setup simple static nftables based firewalls via configuration
files.
---
 README.SUSE      | 15 +++++++++++++++
 main.nft         | 24 ++++++++++++++++++++++++
 nftables.changes |  8 ++++++++
 nftables.service | 22 ++++++++++++++++++++++
 nftables.spec    | 27 +++++++++++++++++++++++++++
 5 files changed, 96 insertions(+)
 create mode 100644 README.SUSE
 create mode 100755 main.nft
 create mode 100644 nftables.service

diff --git a/README.SUSE b/README.SUSE
new file mode 100644
index 0000000..4e10b39
--- /dev/null
+++ b/README.SUSE
@@ -0,0 +1,15 @@
+Static Firewall Configuration with nftables.service
+===================================================
+
+SUSE provides an nftables systemd service which allows to setup simple static
+firewall rule sets based on configuration files.
+
+To use this service you need to create the main configuration file in
+/etc/nftables/rules/main.nft. A simple template for this can be copied from
+/usr/etc/nftables/rules/main.nft. You can split-up the static firewall
+configuration into multiple files which are included from the main.nft
+configuration file.
+
+Once the desired static firewall configuration is in place you can test it by
+running `systemctl start nftables.service`. To enable the service at boot time
+run `systemctl enable nftables.service`.
diff --git a/main.nft b/main.nft
new file mode 100755
index 0000000..66fcdc3
--- /dev/null
+++ b/main.nft
@@ -0,0 +1,24 @@
+#!/usr/sbin/nft -f
+
+# template static firewall configuration file
+#
+# copy this over to /etc/nftables/rules/main.nft as a starting point for
+# configuring a rule set which will be loaded by nftables.service.
+
+flush ruleset
+
+table inet filter {
+	chain input {
+		type filter hook input priority filter;
+	}
+	chain forward {
+		type filter hook forward priority filter;
+	}
+	chain output {
+		type filter hook output priority filter;
+	}
+}
+
+# this can be used to split the rule set into multiple smaller files concerned
+# with specific topics, like forwarding rules
+#include "/etc/nftables/rules/forwarding.nft"
diff --git a/nftables.changes b/nftables.changes
index 2794039..e76d9e9 100644
--- a/nftables.changes
+++ b/nftables.changes
@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Feb 27 11:59:54 UTC 2025 - Matthias Gerstner <matthias.gerstner@suse.com>
+
+- implement nftables.service for static firewall configurations (bsc#1237277).
+  It seems users are missing this service which is not part of the upstream
+  project but present in most other Linux distributions. It allows to setup
+  simple static nftables based firewalls via configuration files.
+
 -------------------------------------------------------------------
 Thu Oct  3 07:00:54 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
 
diff --git a/nftables.service b/nftables.service
new file mode 100644
index 0000000..9debfe6
--- /dev/null
+++ b/nftables.service
@@ -0,0 +1,22 @@
+[Unit]
+Description=nftables static rule set
+Documentation=file:/usr/share/doc/packages/nftables/README.SUSE
+Wants=network-pre.target
+Before=network-pre.target shutdown.target
+Conflicts=shutdown.target
+DefaultDependencies=no
+AssertPathExists=/etc/nftables/rules/main.nft
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+StandardInput=null
+ProtectSystem=full
+ProtectHome=true
+AssertPathExists=/etc/nftables/rules/main.nft
+ExecStart=/usr/sbin/nft -f /etc/nftables/rules/main.nft
+ExecReload=/usr/sbin/nft -f /etc/nftables/rules/main.nft
+ExecStop=/usr/sbin/nft flush ruleset
+
+[Install]
+WantedBy=sysinit.target
diff --git a/nftables.spec b/nftables.spec
index 4dce635..1d58fcb 100644
--- a/nftables.spec
+++ b/nftables.spec
@@ -33,6 +33,9 @@ Source:         http://ftp.netfilter.org/pub/%name/%name-%version.tar.xz
 Source2:        http://ftp.netfilter.org/pub/%name/%name-%version.tar.xz.sig
 Source3:        %name.keyring
 Source4:        nftables.rpmlintrc
+Source5:        main.nft
+Source6:        nftables.service
+Source7:        README.SUSE
 BuildRequires:  %{python_module pip}
 BuildRequires:  %{python_module setuptools}
 BuildRequires:  %{python_module wheel}
@@ -112,6 +115,7 @@ popd
 pushd py
 %pyproject_wheel
 popd
+cp %{SOURCE7} .
 
 %install
 b="%buildroot"
@@ -124,15 +128,38 @@ rm -f "%buildroot/%_libdir"/*.la
 mkdir -p "$b/%_docdir/%name/examples"
 mv -v "$b/%_datadir/nftables"/*.nft "$b/%_docdir/%name/examples/"
 
+# create directories and install files for static firewall setup via nftables.service
+install -D -d -m 0755 $b/%{_sysconfdir}/nftables/rules $b/%{_distconfdir}/nftables/rules $b/%{_unitdir}
+install -m 0755 %{SOURCE5} $b/%{_distconfdir}/nftables/rules/
+install -m 0644 %{SOURCE6} $b/%{_unitdir}/
+
 %ldconfig_scriptlets -n libnftables1
 
+%pre
+%service_add_pre nftables.service
+
+%post
+%service_add_post nftables.service
+
+%preun
+%service_del_preun nftables.service
+
+%postun
+%service_del_postun nftables.service
+
 %files
 %license COPYING
 %_sysconfdir/nftables/
+%_sysconfdir/nftables/rules
 %_sbindir/nft
 %_mandir/man5/*.5*
 %_mandir/man8/nft*
 %_docdir/%name/
+%doc README.SUSE
+%_distconfdir/nftables
+%_distconfdir/nftables/rules
+%_distconfdir/nftables/rules/main.nft
+%_unitdir/nftables.service
 
 %files -n libnftables1
 %_libdir/libnftables.so.1*