forked from pool/nftables
Implement nftables.service for static firewall configurations (bsc#1237277)
It seems users are missing this service which is not part of the upstream project but present in most other Linux distributions. It allows to setup simple static nftables based firewalls via configuration files.
This commit is contained in:
Matthias Gerstner
parent
554c6b6a3c
commit
71d8541655
15
README.SUSE
Normal file
15
README.SUSE
Normal file
@ -0,0 +1,15 @@
|
||||
Static Firewall Configuration with nftables.service
|
||||
===================================================
|
||||
|
||||
SUSE provides an nftables systemd service which allows to setup simple static
|
||||
firewall rule sets based on configuration files.
|
||||
|
||||
To use this service you need to create the main configuration file in
|
||||
/etc/nftables/rules/main.nft. A simple template for this can be copied from
|
||||
/usr/etc/nftables/rules/main.nft. You can split-up the static firewall
|
||||
configuration into multiple files which are included from the main.nft
|
||||
configuration file.
|
||||
|
||||
Once the desired static firewall configuration is in place you can test it by
|
||||
running `systemctl start nftables.service`. To enable the service at boot time
|
||||
run `systemctl enable nftables.service`.
|
||||
24
main.nft
Executable file
24
main.nft
Executable file
@ -0,0 +1,24 @@
|
||||
#!/usr/sbin/nft -f
|
||||
|
||||
# template static firewall configuration file
|
||||
#
|
||||
# copy this over to /etc/nftables/rules/main.nft as a starting point for
|
||||
# configuring a rule set which will be loaded by nftables.service.
|
||||
|
||||
flush ruleset
|
||||
|
||||
table inet filter {
|
||||
chain input {
|
||||
type filter hook input priority filter;
|
||||
}
|
||||
chain forward {
|
||||
type filter hook forward priority filter;
|
||||
}
|
||||
chain output {
|
||||
type filter hook output priority filter;
|
||||
}
|
||||
}
|
||||
|
||||
# this can be used to split the rule set into multiple smaller files concerned
|
||||
# with specific topics, like forwarding rules
|
||||
#include "/etc/nftables/rules/forwarding.nft"
|
||||
@ -1,3 +1,11 @@
|
||||
-------------------------------------------------------------------
|
||||
Thu Feb 27 11:59:54 UTC 2025 - Matthias Gerstner <matthias.gerstner@suse.com>
|
||||
|
||||
- implement nftables.service for static firewall configurations (bsc#1237277).
|
||||
It seems users are missing this service which is not part of the upstream
|
||||
project but present in most other Linux distributions. It allows to setup
|
||||
simple static nftables based firewalls via configuration files.
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Thu Oct 3 07:00:54 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
|
||||
|
||||
|
||||
22
nftables.service
Normal file
22
nftables.service
Normal file
@ -0,0 +1,22 @@
|
||||
[Unit]
|
||||
Description=nftables static rule set
|
||||
Documentation=file:/usr/share/doc/packages/nftables/README.SUSE
|
||||
Wants=network-pre.target
|
||||
Before=network-pre.target shutdown.target
|
||||
Conflicts=shutdown.target
|
||||
DefaultDependencies=no
|
||||
AssertPathExists=/etc/nftables/rules/main.nft
|
||||
|
||||
[Service]
|
||||
Type=oneshot
|
||||
RemainAfterExit=yes
|
||||
StandardInput=null
|
||||
ProtectSystem=full
|
||||
ProtectHome=true
|
||||
AssertPathExists=/etc/nftables/rules/main.nft
|
||||
ExecStart=/usr/sbin/nft -f /etc/nftables/rules/main.nft
|
||||
ExecReload=/usr/sbin/nft -f /etc/nftables/rules/main.nft
|
||||
ExecStop=/usr/sbin/nft flush ruleset
|
||||
|
||||
[Install]
|
||||
WantedBy=sysinit.target
|
||||
@ -33,6 +33,9 @@ Source: http://ftp.netfilter.org/pub/%name/%name-%version.tar.xz
|
||||
Source2: http://ftp.netfilter.org/pub/%name/%name-%version.tar.xz.sig
|
||||
Source3: %name.keyring
|
||||
Source4: nftables.rpmlintrc
|
||||
Source5: main.nft
|
||||
Source6: nftables.service
|
||||
Source7: README.SUSE
|
||||
BuildRequires: %{python_module pip}
|
||||
BuildRequires: %{python_module setuptools}
|
||||
BuildRequires: %{python_module wheel}
|
||||
@ -112,6 +115,7 @@ popd
|
||||
pushd py
|
||||
%pyproject_wheel
|
||||
popd
|
||||
cp %{SOURCE7} .
|
||||
|
||||
%install
|
||||
b="%buildroot"
|
||||
@ -124,15 +128,38 @@ rm -f "%buildroot/%_libdir"/*.la
|
||||
mkdir -p "$b/%_docdir/%name/examples"
|
||||
mv -v "$b/%_datadir/nftables"/*.nft "$b/%_docdir/%name/examples/"
|
||||
|
||||
# create directories and install files for static firewall setup via nftables.service
|
||||
install -D -d -m 0755 $b/%{_sysconfdir}/nftables/rules $b/%{_distconfdir}/nftables/rules $b/%{_unitdir}
|
||||
install -m 0755 %{SOURCE5} $b/%{_distconfdir}/nftables/rules/
|
||||
install -m 0644 %{SOURCE6} $b/%{_unitdir}/
|
||||
|
||||
%ldconfig_scriptlets -n libnftables1
|
||||
|
||||
%pre
|
||||
%service_add_pre nftables.service
|
||||
|
||||
%post
|
||||
%service_add_post nftables.service
|
||||
|
||||
%preun
|
||||
%service_del_preun nftables.service
|
||||
|
||||
%postun
|
||||
%service_del_postun nftables.service
|
||||
|
||||
%files
|
||||
%license COPYING
|
||||
%_sysconfdir/nftables/
|
||||
%_sysconfdir/nftables/rules
|
||||
%_sbindir/nft
|
||||
%_mandir/man5/*.5*
|
||||
%_mandir/man8/nft*
|
||||
%_docdir/%name/
|
||||
%doc README.SUSE
|
||||
%_distconfdir/nftables
|
||||
%_distconfdir/nftables/rules
|
||||
%_distconfdir/nftables/rules/main.nft
|
||||
%_unitdir/nftables.service
|
||||
|
||||
%files -n libnftables1
|
||||
%_libdir/libnftables.so.1*
|
||||
|
||||
Loading…
x
Reference in New Issue
Block a user