Add 0001-tools-add-a-systemd-unit-for-static-rulesets.patch

0001-tools-add-a-systemd-unit-for-static-rulesets.patch

@@ -0,0 +1,173 @@
+From f08b34c9cba43879259c0b095c50efd3e6e66250 Mon Sep 17 00:00:00 2001
+From: Jan Engelhardt <jengelh@inai.de>
+Date: Fri, 28 Feb 2025 19:45:01 +0100
+Subject: [PATCH] tools: add a systemd unit for static rulesets
+References: https://lore.kernel.org/netfilter-devel/20250228205935.59659-1-jengelh@inai.de/T/#u (v1)
+Notes-v2: the Documentation= line needed a "man:" infix
+
+There is a customer request (bugreport) for wanting to trivially load a ruleset
+from a well-known location on boot, forwarded to me by M. Gerstner. A systemd
+service unit is hereby added to provide that functionality. This is based on
+various distributions attempting to do same, cf.
+
+https://src.fedoraproject.org/rpms/nftables/tree/rawhide
+https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/nftables/nftables.initd
+https://gitlab.archlinux.org/archlinux/packaging/packages/nftables
+
+Cc: Matthias Gerstner <matthias.gerstner@suse.com>
+---
+ .gitignore                |  1 +
+ Makefile.am               | 16 ++++++++++++----
+ configure.ac              | 10 ++++++++++
+ files/nftables/main.nft   | 24 ++++++++++++++++++++++++
+ tools/nftables.service.8  | 18 ++++++++++++++++++
+ tools/nftables.service.in | 21 +++++++++++++++++++++
+ 6 files changed, 86 insertions(+), 4 deletions(-)
+ create mode 100644 files/nftables/main.nft
+ create mode 100644 tools/nftables.service.8
+ create mode 100644 tools/nftables.service.in
+
+diff --git a/Makefile.am b/Makefile.am
+index fb64105d..050991f4 100644
+--- a/Makefile.am
++++ b/Makefile.am
+@@ -375,18 +375,19 @@ dist_pkgdata_DATA = \
+ 	files/nftables/netdev-ingress.nft \
+ 	$(NULL)
+ 
+-pkgdocdir = ${docdir}/examples
++exampledir = ${docdir}/examples
+ 
+-dist_pkgdoc_SCRIPTS = \
++dist_example_SCRIPTS = \
+ 	files/examples/ct_helpers.nft \
+ 	files/examples/load_balancing.nft \
+ 	files/examples/secmark.nft \
+ 	files/examples/sets_and_maps.nft \
+ 	$(NULL)
+ 
+-pkgsysconfdir = ${sysconfdir}/nftables/osf
++pkgsysconfdir = ${sysconfdir}/${PACKAGE}
++osfdir = ${pkgsysconfdir}/osf
+ 
+-dist_pkgsysconf_DATA = \
++dist_osf_DATA = \
+ 	files/osf/pf.os \
+ 	$(NULL)
+ 
+@@ -410,3 +411,10 @@ EXTRA_DIST += \
+ 
+ pkgconfigdir = $(libdir)/pkgconfig
+ pkgconfig_DATA = libnftables.pc
++unit_DATA = tools/nftables.service
++man_MANS = tools/nftables.service.8
++doc_DATA = files/nftables/main.nft
++
++tools/nftables.service: tools/nftables.service.in ${top_builddir}/config.status
++	${AM_V_GEN}${MKDIR_P} tools
++	${AM_V_at}sed -e 's|@''sbindir''@|${sbindir}|g;s|@''pkgsysconfdir''@|${pkgsysconfdir}|g' <${srcdir}/tools/nftables.service.in >$@
+diff --git a/configure.ac b/configure.ac
+index 80a64813..64a164e5 100644
+--- a/configure.ac
++++ b/configure.ac
+@@ -114,6 +114,16 @@ AC_CHECK_DECLS([getprotobyname_r, getprotobynumber_r, getservbyport_r], [], [],
+ #include <netdb.h>
+ ]])
+ 
++AC_ARG_WITH([unitdir],
++	[AS_HELP_STRING([--with-unitdir=PATH], [Path to systemd service unit directory])],
++	[unitdir="$withval"],
++	[
++		unitdir=$("$PKG_CONFIG" systemd --variable systemdsystemunitdir 2>/dev/null)
++		AS_IF([test -z "$unitdir"], [unitdir='${prefix}/lib/systemd/system'])
++	])
++AC_SUBST([unitdir])
++
++
+ AC_CONFIG_FILES([					\
+ 		Makefile				\
+ 		libnftables.pc				\
+diff --git a/files/nftables/main.nft b/files/nftables/main.nft
+new file mode 100644
+index 00000000..8e62f9bc
+--- /dev/null
++++ b/files/nftables/main.nft
+@@ -0,0 +1,24 @@
++#!/usr/sbin/nft -f
++
++# template static firewall configuration file
++#
++# copy this over to /etc/nftables/rules/main.nft as a starting point for
++# configuring a rule set which will be loaded by nftables.service.
++
++flush ruleset
++
++table inet filter {
++	chain input {
++		type filter hook input priority filter;
++	}
++	chain forward {
++		type filter hook forward priority filter;
++	}
++	chain output {
++		type filter hook output priority filter;
++	}
++}
++
++# this can be used to split the rule set into multiple smaller files concerned
++# with specific topics, like forwarding rules
++#include "/etc/nftables/rules/forwarding.nft"
+diff --git a/tools/nftables.service.8 b/tools/nftables.service.8
+new file mode 100644
+index 00000000..4a83b01c
+--- /dev/null
++++ b/tools/nftables.service.8
+@@ -0,0 +1,18 @@
++.TH nftables.service 8 "" "nftables" "nftables admin reference"
++.SH Name
++nftables.service \(em Static Firewall Configuration with nftables.service
++.SH Description
++An nftables systemd service is provided which allows to setup static firewall
++rulesets based on a configuration file.
++.PP
++To use this service, you need to create the main configuration file in
++/etc/nftables/rules/main.nft. A template for this can be copied from
++/usr/share/doc/nftables/main.nft. The static firewall configuration can be
++split up into multiple files which are included from the main.nft
++configuration file.
++.PP
++Once the desired static firewall configuration is in place, it can be tested by
++running `systemctl start nftables.service`. To enable the service at boot time,
++run `systemctl enable nftables.service`.
++.SH See also
++\fBnft\fP(8)
+diff --git a/tools/nftables.service.in b/tools/nftables.service.in
+new file mode 100644
+index 00000000..f2f07126
+--- /dev/null
++++ b/tools/nftables.service.in
+@@ -0,0 +1,21 @@
++[Unit]
++Description=nftables static rule set
++Documentation=man:nftables.service(8)
++Wants=network-pre.target
++Before=network-pre.target shutdown.target
++Conflicts=shutdown.target
++DefaultDependencies=no
++ConditionPathExists=@pkgsysconfdir@/rules/main.nft
++
++[Service]
++Type=oneshot
++RemainAfterExit=yes
++StandardInput=null
++ProtectSystem=full
++ProtectHome=true
++ExecStart=@sbindir@/nft -f @pkgsysconfdir@/rules/main.nft
++ExecReload=@sbindir@/nft -f @pkgsysconfdir@/rules/main.nft
++ExecStop=@sbindir@/nft flush ruleset
++
++[Install]
++WantedBy=sysinit.target
+-- 
+2.48.1
+

nftables.changes

@@ -1,3 +1,9 @@
+-------------------------------------------------------------------
+Tue Mar  4 08:01:21 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
+
+- Add 0001-tools-add-a-systemd-unit-for-static-rulesets.patch
+  [boo#1237277]
+
 -------------------------------------------------------------------
 Thu Oct  3 07:00:54 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
 

nftables.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package nftables
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -33,6 +33,7 @@ Source:         http://ftp.netfilter.org/pub/%name/%name-%version.tar.xz
 Source2:        http://ftp.netfilter.org/pub/%name/%name-%version.tar.xz.sig
 Source3:        %name.keyring
 Source4:        nftables.rpmlintrc
+Patch1:         0001-tools-add-a-systemd-unit-for-static-rulesets.patch
 BuildRequires:  %{python_module pip}
 BuildRequires:  %{python_module setuptools}
 BuildRequires:  %{python_module wheel}
@@ -116,6 +117,7 @@ cd -
 %install
 b="%buildroot"
 %make_install -C obj
+perl -i -lpe 's{^(Conflicts=.*)}{$1 firewalld.service}' "$b/%_unitdir/nftables.service"
 cd py
 %pyproject_install
 %python_expand %fdupes %buildroot/%{$python_sitelib}
@@ -125,13 +127,27 @@ mv -v "$b/%_datadir/nftables"/*.nft "$b/%_docdir/%name/examples/"
 
 %ldconfig_scriptlets -n libnftables1
 
+%pre
+%service_add_pre nftables.service
+
+%post
+%service_add_post nftables.service
+
+%preun
+%service_del_preun nftables.service
+
+%postun
+%service_del_postun nftables.service
+
 %files
 %license COPYING
-%_sysconfdir/nftables/
+%dir %_sysconfdir/nftables/
+%_sysconfdir/nftables/osf/
 %_sbindir/nft
 %_mandir/man5/*.5*
 %_mandir/man8/nft*
 %_docdir/%name/
+%_unitdir/nftables.service
 
 %files -n libnftables1
 %_libdir/libnftables.so.1*