jengelh/nftables
SHA256
1
0
Fork 1
forked from pool/nftables
Code Pull Requests Activity

Implement nftables.service for static firewall configurations (bsc#1237277)

Browse Source 
It seems users are missing this service which is not part of the
upstream project but present in most other Linux distributions. It
allows to setup simple static nftables based firewalls via configuration
files.
This commit is contained in:
Matthias Gerstner 2025-02-27 12:01:17 +01:00
parent 554c6b6a3c
commit 71d8541655
No known key found for this signature in database
GPG Key ID: 14C405C971923553
5 changed files with 96 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

15
README.SUSE Normal file
View File

@ -0,0 +1,15 @@
Static Firewall Configuration with nftables.service
===================================================
SUSE provides an nftables systemd service which allows to setup simple static
firewall rule sets based on configuration files.
To use this service you need to create the main configuration file in
/etc/nftables/rules/main.nft. A simple template for this can be copied from
/usr/etc/nftables/rules/main.nft. You can split-up the static firewall
configuration into multiple files which are included from the main.nft
configuration file.
Once the desired static firewall configuration is in place you can test it by
running `systemctl start nftables.service`. To enable the service at boot time
run `systemctl enable nftables.service`.

24
main.nft Executable file
View File

@ -0,0 +1,24 @@
#!/usr/sbin/nft -f
# template static firewall configuration file
#
# copy this over to /etc/nftables/rules/main.nft as a starting point for
# configuring a rule set which will be loaded by nftables.service.
flush ruleset
table inet filter {
chain input {
type filter hook input priority filter;
}
chain forward {
type filter hook forward priority filter;
}
chain output {
type filter hook output priority filter;
}
}
# this can be used to split the rule set into multiple smaller files concerned
# with specific topics, like forwarding rules
#include "/etc/nftables/rules/forwarding.nft"

8
nftables.changes
View File

@ -1,3 +1,11 @@
-------------------------------------------------------------------
Thu Feb 27 11:59:54 UTC 2025 - Matthias Gerstner <matthias.gerstner@suse.com>
- implement nftables.service for static firewall configurations (bsc#1237277).
It seems users are missing this service which is not part of the upstream
project but present in most other Linux distributions. It allows to setup
simple static nftables based firewalls via configuration files.
------------------------------------------------------------------- -------------------------------------------------------------------
Thu Oct 3 07:00:54 UTC 2024 - Jan Engelhardt <jengelh@inai.de> Thu Oct 3 07:00:54 UTC 2024 - Jan Engelhardt <jengelh@inai.de>

22
nftables.service Normal file
View File

@ -0,0 +1,22 @@
[Unit]
Description=nftables static rule set
Documentation=file:/usr/share/doc/packages/nftables/README.SUSE
Wants=network-pre.target
Before=network-pre.target shutdown.target
Conflicts=shutdown.target
DefaultDependencies=no
AssertPathExists=/etc/nftables/rules/main.nft
[Service]
Type=oneshot
RemainAfterExit=yes
StandardInput=null
ProtectSystem=full
ProtectHome=true
AssertPathExists=/etc/nftables/rules/main.nft
ExecStart=/usr/sbin/nft -f /etc/nftables/rules/main.nft
ExecReload=/usr/sbin/nft -f /etc/nftables/rules/main.nft
ExecStop=/usr/sbin/nft flush ruleset
[Install]
WantedBy=sysinit.target

27
nftables.spec
View File

@ -33,6 +33,9 @@ Source: http://ftp.netfilter.org/pub/%name/%name-%version.tar.xz
Source2: http://ftp.netfilter.org/pub/%name/%name-%version.tar.xz.sig Source2: http://ftp.netfilter.org/pub/%name/%name-%version.tar.xz.sig
Source3: %name.keyring Source3: %name.keyring
Source4: nftables.rpmlintrc Source4: nftables.rpmlintrc
Source5: main.nft
Source6: nftables.service
Source7: README.SUSE
BuildRequires: %{python_module pip} BuildRequires: %{python_module pip}
BuildRequires: %{python_module setuptools} BuildRequires: %{python_module setuptools}
BuildRequires: %{python_module wheel} BuildRequires: %{python_module wheel}
@ -112,6 +115,7 @@ popd
pushd py pushd py
%pyproject_wheel %pyproject_wheel
popd popd
cp %{SOURCE7} .
%install %install
b="%buildroot" b="%buildroot"
@ -124,15 +128,38 @@ rm -f "%buildroot/%_libdir"/*.la
mkdir -p "$b/%_docdir/%name/examples" mkdir -p "$b/%_docdir/%name/examples"
mv -v "$b/%_datadir/nftables"/*.nft "$b/%_docdir/%name/examples/" mv -v "$b/%_datadir/nftables"/*.nft "$b/%_docdir/%name/examples/"
# create directories and install files for static firewall setup via nftables.service
install -D -d -m 0755 $b/%{_sysconfdir}/nftables/rules $b/%{_distconfdir}/nftables/rules $b/%{_unitdir}
install -m 0755 %{SOURCE5} $b/%{_distconfdir}/nftables/rules/
install -m 0644 %{SOURCE6} $b/%{_unitdir}/
%ldconfig_scriptlets -n libnftables1 %ldconfig_scriptlets -n libnftables1
%pre
%service_add_pre nftables.service
%post
%service_add_post nftables.service
%preun
%service_del_preun nftables.service
%postun
%service_del_postun nftables.service
%files %files
%license COPYING %license COPYING
%_sysconfdir/nftables/ %_sysconfdir/nftables/
%_sysconfdir/nftables/rules
%_sbindir/nft %_sbindir/nft
%_mandir/man5/*.5* %_mandir/man5/*.5*
%_mandir/man8/nft* %_mandir/man8/nft*
%_docdir/%name/ %_docdir/%name/
%doc README.SUSE
%_distconfdir/nftables
%_distconfdir/nftables/rules
%_distconfdir/nftables/rules/main.nft
%_unitdir/nftables.service
%files -n libnftables1 %files -n libnftables1
%_libdir/libnftables.so.1* %_libdir/libnftables.so.1*