From ee8a28dc131845f920b4df0dd83d58a91668d26f3166c5d998ca68c64fa7d748 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt Date: Fri, 28 Feb 2025 20:03:02 +0100 Subject: [PATCH] Add 0001-tools-add-a-systemd-unit-for-static-rulesets.patch --- ...d-a-systemd-unit-for-static-rulesets.patch | 173 ++++++++++++++++++ nftables.changes | 6 + nftables.spec | 20 +- 3 files changed, 197 insertions(+), 2 deletions(-) create mode 100644 0001-tools-add-a-systemd-unit-for-static-rulesets.patch diff --git a/0001-tools-add-a-systemd-unit-for-static-rulesets.patch b/0001-tools-add-a-systemd-unit-for-static-rulesets.patch new file mode 100644 index 0000000..b299483 --- /dev/null +++ b/0001-tools-add-a-systemd-unit-for-static-rulesets.patch @@ -0,0 +1,173 @@ +From f08b34c9cba43879259c0b095c50efd3e6e66250 Mon Sep 17 00:00:00 2001 +From: Jan Engelhardt +Date: Fri, 28 Feb 2025 19:45:01 +0100 +Subject: [PATCH] tools: add a systemd unit for static rulesets +References: https://lore.kernel.org/netfilter-devel/20250228205935.59659-1-jengelh@inai.de/T/#u (v1) +Notes-v2: the Documentation= line needed a "man:" infix + +There is a customer request (bugreport) for wanting to trivially load a ruleset +from a well-known location on boot, forwarded to me by M. Gerstner. A systemd +service unit is hereby added to provide that functionality. This is based on +various distributions attempting to do same, cf. + +https://src.fedoraproject.org/rpms/nftables/tree/rawhide +https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/nftables/nftables.initd +https://gitlab.archlinux.org/archlinux/packaging/packages/nftables + +Cc: Matthias Gerstner +--- + .gitignore | 1 + + Makefile.am | 16 ++++++++++++---- + configure.ac | 10 ++++++++++ + files/nftables/main.nft | 24 ++++++++++++++++++++++++ + tools/nftables.service.8 | 18 ++++++++++++++++++ + tools/nftables.service.in | 21 +++++++++++++++++++++ + 6 files changed, 86 insertions(+), 4 deletions(-) + create mode 100644 files/nftables/main.nft + create mode 100644 tools/nftables.service.8 + create mode 100644 tools/nftables.service.in + +diff --git a/Makefile.am b/Makefile.am +index fb64105d..050991f4 100644 +--- a/Makefile.am ++++ b/Makefile.am +@@ -375,18 +375,19 @@ dist_pkgdata_DATA = \ + files/nftables/netdev-ingress.nft \ + $(NULL) + +-pkgdocdir = ${docdir}/examples ++exampledir = ${docdir}/examples + +-dist_pkgdoc_SCRIPTS = \ ++dist_example_SCRIPTS = \ + files/examples/ct_helpers.nft \ + files/examples/load_balancing.nft \ + files/examples/secmark.nft \ + files/examples/sets_and_maps.nft \ + $(NULL) + +-pkgsysconfdir = ${sysconfdir}/nftables/osf ++pkgsysconfdir = ${sysconfdir}/${PACKAGE} ++osfdir = ${pkgsysconfdir}/osf + +-dist_pkgsysconf_DATA = \ ++dist_osf_DATA = \ + files/osf/pf.os \ + $(NULL) + +@@ -410,3 +411,10 @@ EXTRA_DIST += \ + + pkgconfigdir = $(libdir)/pkgconfig + pkgconfig_DATA = libnftables.pc ++unit_DATA = tools/nftables.service ++man_MANS = tools/nftables.service.8 ++doc_DATA = files/nftables/main.nft ++ ++tools/nftables.service: tools/nftables.service.in ${top_builddir}/config.status ++ ${AM_V_GEN}${MKDIR_P} tools ++ ${AM_V_at}sed -e 's|@''sbindir''@|${sbindir}|g;s|@''pkgsysconfdir''@|${pkgsysconfdir}|g' <${srcdir}/tools/nftables.service.in >$@ +diff --git a/configure.ac b/configure.ac +index 80a64813..64a164e5 100644 +--- a/configure.ac ++++ b/configure.ac +@@ -114,6 +114,16 @@ AC_CHECK_DECLS([getprotobyname_r, getprotobynumber_r, getservbyport_r], [], [], + #include + ]]) + ++AC_ARG_WITH([unitdir], ++ [AS_HELP_STRING([--with-unitdir=PATH], [Path to systemd service unit directory])], ++ [unitdir="$withval"], ++ [ ++ unitdir=$("$PKG_CONFIG" systemd --variable systemdsystemunitdir 2>/dev/null) ++ AS_IF([test -z "$unitdir"], [unitdir='${prefix}/lib/systemd/system']) ++ ]) ++AC_SUBST([unitdir]) ++ ++ + AC_CONFIG_FILES([ \ + Makefile \ + libnftables.pc \ +diff --git a/files/nftables/main.nft b/files/nftables/main.nft +new file mode 100644 +index 00000000..8e62f9bc +--- /dev/null ++++ b/files/nftables/main.nft +@@ -0,0 +1,24 @@ ++#!/usr/sbin/nft -f ++ ++# template static firewall configuration file ++# ++# copy this over to /etc/nftables/rules/main.nft as a starting point for ++# configuring a rule set which will be loaded by nftables.service. ++ ++flush ruleset ++ ++table inet filter { ++ chain input { ++ type filter hook input priority filter; ++ } ++ chain forward { ++ type filter hook forward priority filter; ++ } ++ chain output { ++ type filter hook output priority filter; ++ } ++} ++ ++# this can be used to split the rule set into multiple smaller files concerned ++# with specific topics, like forwarding rules ++#include "/etc/nftables/rules/forwarding.nft" +diff --git a/tools/nftables.service.8 b/tools/nftables.service.8 +new file mode 100644 +index 00000000..4a83b01c +--- /dev/null ++++ b/tools/nftables.service.8 +@@ -0,0 +1,18 @@ ++.TH nftables.service 8 "" "nftables" "nftables admin reference" ++.SH Name ++nftables.service \(em Static Firewall Configuration with nftables.service ++.SH Description ++An nftables systemd service is provided which allows to setup static firewall ++rulesets based on a configuration file. ++.PP ++To use this service, you need to create the main configuration file in ++/etc/nftables/rules/main.nft. A template for this can be copied from ++/usr/share/doc/nftables/main.nft. The static firewall configuration can be ++split up into multiple files which are included from the main.nft ++configuration file. ++.PP ++Once the desired static firewall configuration is in place, it can be tested by ++running `systemctl start nftables.service`. To enable the service at boot time, ++run `systemctl enable nftables.service`. ++.SH See also ++\fBnft\fP(8) +diff --git a/tools/nftables.service.in b/tools/nftables.service.in +new file mode 100644 +index 00000000..f2f07126 +--- /dev/null ++++ b/tools/nftables.service.in +@@ -0,0 +1,21 @@ ++[Unit] ++Description=nftables static rule set ++Documentation=man:nftables.service(8) ++Wants=network-pre.target ++Before=network-pre.target shutdown.target ++Conflicts=shutdown.target ++DefaultDependencies=no ++ConditionPathExists=@pkgsysconfdir@/rules/main.nft ++ ++[Service] ++Type=oneshot ++RemainAfterExit=yes ++StandardInput=null ++ProtectSystem=full ++ProtectHome=true ++ExecStart=@sbindir@/nft -f @pkgsysconfdir@/rules/main.nft ++ExecReload=@sbindir@/nft -f @pkgsysconfdir@/rules/main.nft ++ExecStop=@sbindir@/nft flush ruleset ++ ++[Install] ++WantedBy=sysinit.target +-- +2.48.1 + diff --git a/nftables.changes b/nftables.changes index 2794039..2b1b5d1 100644 --- a/nftables.changes +++ b/nftables.changes @@ -1,3 +1,9 @@ +------------------------------------------------------------------- +Tue Mar 4 08:01:21 UTC 2025 - Jan Engelhardt + +- Add 0001-tools-add-a-systemd-unit-for-static-rulesets.patch + [boo#1237277] + ------------------------------------------------------------------- Thu Oct 3 07:00:54 UTC 2024 - Jan Engelhardt diff --git a/nftables.spec b/nftables.spec index 4bc96b4..f3470a7 100644 --- a/nftables.spec +++ b/nftables.spec @@ -1,7 +1,7 @@ # # spec file for package nftables # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2025 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -33,6 +33,7 @@ Source: http://ftp.netfilter.org/pub/%name/%name-%version.tar.xz Source2: http://ftp.netfilter.org/pub/%name/%name-%version.tar.xz.sig Source3: %name.keyring Source4: nftables.rpmlintrc +Patch1: 0001-tools-add-a-systemd-unit-for-static-rulesets.patch BuildRequires: %{python_module pip} BuildRequires: %{python_module setuptools} BuildRequires: %{python_module wheel} @@ -116,6 +117,7 @@ cd - %install b="%buildroot" %make_install -C obj +perl -i -lpe 's{^(Conflicts=.*)}{$1 firewalld.service}' "$b/%_unitdir/nftables.service" cd py %pyproject_install %python_expand %fdupes %buildroot/%{$python_sitelib} @@ -125,13 +127,27 @@ mv -v "$b/%_datadir/nftables"/*.nft "$b/%_docdir/%name/examples/" %ldconfig_scriptlets -n libnftables1 +%pre +%service_add_pre nftables.service + +%post +%service_add_post nftables.service + +%preun +%service_del_preun nftables.service + +%postun +%service_del_postun nftables.service + %files %license COPYING -%_sysconfdir/nftables/ +%dir %_sysconfdir/nftables/ +%_sysconfdir/nftables/osf/ %_sbindir/nft %_mandir/man5/*.5* %_mandir/man8/nft* %_docdir/%name/ +%_unitdir/nftables.service %files -n libnftables1 %_libdir/libnftables.so.1*