jengelh/nftables
SHA256
1
0
Fork 1
forked from pool/nftables
Code Pull Requests Activity

Implement nftables.service for static firewall configurations (bsc#1237277) #1

Manually merged
jengelh merged 2 commits from mgerstner/nftables:master into master 2025-03-04 09:11:23 +01:00
Conversation 15 Commits 2 Files Changed 5 +93
mgerstner commented 2025-02-27 12:03:34 +01:00
Contributor
Copy Link

It seems users are missing this service which is not part of the
upstream project but present in most other Linux distributions. It
allows to setup simple static nftables based firewalls via configuration
files.

It seems users are missing this service which is not part of the upstream project but present in most other Linux distributions. It allows to setup simple static nftables based firewalls via configuration files.
mgerstner added 1 commit 2025-02-27 12:03:35 +01:00 
It seems users are missing this service which is not part of the
upstream project but present in most other Linux distributions. It
allows to setup simple static nftables based firewalls via configuration
files.
jengelh commented 2025-02-27 14:29:29 +01:00
Owner
Copy Link

This should be proposed upstream instead. There has got to be a reason they do not have such service units yet.

This also totally collides with SuSEfirewall/firewalld.

This should be proposed upstream instead. There has got to be a reason they do not have such service units yet. This also totally collides with SuSEfirewall/firewalld.
jengelh changed title from Implement nftables.service for static firewall configurations (bsc#1237277) to WIP: Implement nftables.service for static firewall configurations (bsc#1237277) 2025-02-27 14:32:07 +01:00
mgerstner commented 2025-02-27 15:34:33 +01:00
Author
Contributor
Copy Link

It's not colliding, because it is the responsibility of the system admin not to use both at the same time. And we do have a customer request to add this service.

It's not colliding, because it is the responsibility of the system admin not to use both at the same time. And we do have a customer request to add this service.
mgerstner commented 2025-02-27 15:44:30 +01:00
Author
Contributor
Copy Link

I can add a Conflicts= statement to the systemd unit to prevent accidental activation of both this service and firewalld. SUSEFirewall is not a candidate here since it is deprecated and doesn't even support nftables.

Otherwise this service does not harm at all. It is purely opt-in, won't be activated by default. It is just a couple of files extra. We are not to judge what customers and users want to have. If they want to have a simple static firewall written manually then this is fine with me.

I can add a `Conflicts=` statement to the systemd unit to prevent accidental activation of both this service and firewalld. SUSEFirewall is not a candidate here since it is deprecated and doesn't even support nftables. Otherwise this service does not harm at all. It is purely opt-in, won't be activated by default. It is just a couple of files extra. We are not to judge what customers and users want to have. If they want to have a simple static firewall written manually then this is fine with me.
jengelh commented 2025-02-27 17:02:35 +01:00
Owner
Copy Link

On the other hand, we have also gotten complaints from upstreams for developing bespoke/NIH solutions and, at times, getting called out for producing "bastardized packages". For reason like these, the "upstream first" idea exists, to at least try to find a common solution before throwing in the towel.

On the other hand, we have also gotten complaints from upstreams for developing bespoke/NIH solutions and, at times, getting called out for producing "bastardized packages". For reason like these, the "upstream first" idea exists, to at least try to find a _common_ solution before throwing in the towel.
mgerstner commented 2025-02-28 09:56:54 +01:00
Author
Contributor
Copy Link

I'm not throwing in the towel, I'm fulfilling a customer request. I looked at what other distributions do. This here is not perverting an upstream approach, it is filling a gap. I can approach upstream in parallel, but addressing this feature request has time constraints, we need it for SLE-16 development. So please cooperate here. I'm bugowner of nftables after all. Otherwise I'd have to switch over the package to my own Gitea branch.

I'm not throwing in the towel, I'm fulfilling a customer request. I looked at what other distributions do. This here is not perverting an upstream approach, it is filling a gap. I can approach upstream in parallel, but addressing this feature request has time constraints, we need it for SLE-16 development. So please cooperate here. I'm bugowner of `nftables` after all. Otherwise I'd have to switch over the package to my own Gitea branch.
jengelh commented 2025-02-28 11:11:42 +01:00
Owner
Copy Link
  • the Netfilter wiki casually puts the ruleset in /etc/nftables.rules and /etc/nftables/*
  • Arch Linux seems to put the ruleset in /etc/nftables.conf
  • your proposal puts it in /etc/nftables/rules/main.nft

This is the kind of deviation I was afraid of seeing, and why I feel Upstream First is important. Yes, please contact them as soon as possible, that will help making the case. Having to switch the file location later because #1 was merged "due to time constraints" surely is not all that great for the end-user (sysadmin) who's wondering why, on the next reboot, the ruleset is no longer loaded.

I acknowledge that one does not always find a consensus with upstreams — this is what I meant with "throwing the towel [w.r.t. upstream]" — and that's ok, if the distro-specific modification was argued for and the result documented. That is the goal.

Otherwise I'd have to switch over the package to my own Gitea branch.

The current situation is because organization creation was disabled in this Gitea instance midway unfortunately. But even if the backstorage wasn't Git but OBSSCM, the change would leave a bad taste if it had unresolved questions like path choice.

* the Netfilter wiki casually puts the ruleset in [/etc/nftables.rules](https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes) and /etc/nftables/* * Arch Linux seems to put the ruleset in /etc/nftables.conf * your proposal puts it in /etc/nftables/rules/main.nft This is the kind of deviation I was afraid of seeing, and why I feel Upstream First is important. Yes, please contact them as soon as possible, that will help making the case. Having to switch the file location later because #1 was merged "due to time constraints" surely is not all that great _for the end-user_ (sysadmin) who's wondering why, on the next reboot, the ruleset is no longer loaded. I acknowledge that one does not always find a consensus with upstreams — this is what I meant with "throwing the towel [w.r.t. upstream]" — and that's ok, if the distro-specific modification was argued for and the result documented. That is the goal. >Otherwise I'd have to switch over the package to my own Gitea branch. The current situation is because organization creation was disabled in this Gitea instance midway unfortunately. But even if the backstorage wasn't Git but OBSSCM, the change would leave a bad taste if it had unresolved questions like path choice.
jengelh commented 2025-02-28 11:12:53 +01:00
Owner
Copy Link

Placing config files in /usr/etc when they are not read from that location also seems a bit strange; traditionally (open)SUSE would put such files in %_docdir instead.

Placing config files in /usr/etc when they are not read from that location also seems a bit strange; traditionally (open)SUSE would put such files in %_docdir instead.
mgerstner commented 2025-02-28 14:01:41 +01:00
Author
Contributor
Copy Link
  • the Netfilter wiki casually puts the ruleset in /etc/nftables.rules and /etc/nftables/*
  • Arch Linux seems to put the ruleset in /etc/nftables.conf
  • your proposal puts it in /etc/nftables/rules/main.nft

Mine is more inspired by the way Fedora does it. I think it's a good idea to have a dedicated directory and have support for splitting the rules up into smaller pieces contained in separate files.

This is the kind of deviation I was afraid of seeing, and why I feel Upstream First is important.

The deviation is already there, we're only late to the party. I will approach upstream, but don't have high hopes that a usable solution will be available any time soon. Certainly not soon enough for SLE-16 development. That's just reality.

The current situation is because organization creation was disabled in this Gitea instance midway unfortunately. But even if the backstorage wasn't Git but OBSSCM, the change would leave a bad taste if it had unresolved questions like path choice.

It's my first time working with Gitea, and yes the situation is less than ideal IMHO. There seem to be many questions unresolved. But I have to work with what we have at the moment.

> * the Netfilter wiki casually puts the ruleset in [/etc/nftables.rules](https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes) and /etc/nftables/* > * Arch Linux seems to put the ruleset in /etc/nftables.conf > * your proposal puts it in /etc/nftables/rules/main.nft Mine is more inspired by the way Fedora does it. I think it's a good idea to have a dedicated directory and have support for splitting the rules up into smaller pieces contained in separate files. > This is the kind of deviation I was afraid of seeing, and why I feel Upstream First is important. The deviation is already there, we're only late to the party. I will approach upstream, but don't have high hopes that a usable solution will be available any time soon. Certainly not soon enough for SLE-16 development. That's just reality. > The current situation is because organization creation was disabled in this Gitea instance midway unfortunately. But even if the backstorage wasn't Git but OBSSCM, the change would leave a bad taste if it had unresolved questions like path choice. It's my first time working with Gitea, and yes the situation is less than ideal IMHO. There seem to be many questions unresolved. But I have to work with what we have at the moment.
mgerstner commented 2025-02-28 14:03:17 +01:00
Author
Contributor
Copy Link

Placing config files in /usr/etc when they are not read from that location also seems a bit strange; traditionally (open)SUSE would put such files in %_docdir instead.

True. This whole /usr/etc approach does not go well with some things like this here. Other distros offer an empty rule set by default for this service but I don't think this makes any sense. When the service is enabled then it should also have a usable custom config.

I can move the file to %_docdir and also add that Conflicts= towards firewalld. I don't think I'll find time to do that before the weekend any more, though.

> Placing config files in /usr/etc when they are not read from that location also seems a bit strange; traditionally (open)SUSE would put such files in %_docdir instead. True. This whole `/usr/etc` approach does not go well with some things like this here. Other distros offer an empty rule set by default for this service but I don't think this makes any sense. When the service is enabled then it should also have a usable custom config. I can move the file to %_docdir and also add that Conflicts= towards firewalld. I don't think I'll find time to do that before the weekend any more, though.
jengelh commented 2025-02-28 19:30:48 +01:00
Owner
Copy Link

I'll take care of it, then.

I'll take care of it, then.
jengelh commented 2025-02-28 22:06:41 +01:00
Owner
Copy Link

https://lore.kernel.org/netfilter-devel/20250228205935.59659-1-jengelh@inai.de/T/#u

https://lore.kernel.org/netfilter-devel/20250228205935.59659-1-jengelh@inai.de/T/#u
mgerstner commented 2025-03-03 14:00:38 +01:00
Author
Contributor
Copy Link

Ah thanks for forwarding that to upstream. No reaction so far, though, it seems.

Ah thanks for forwarding that to upstream. No reaction so far, though, it seems.
mgerstner added 1 commit 2025-03-03 14:43:17 +01:00 
- place example config file into /usr/share/doc/packages/nftables
- remove duplicate AssertPathExists file from service
- add conflicts towards firewalld service to avoid having both active at
  the same time
mgerstner commented 2025-03-03 14:43:40 +01:00
Author
Contributor
Copy Link

I incorporated your suggestions and some other fixes

I incorporated your suggestions and some other fixes
jengelh changed title from WIP: Implement nftables.service for static firewall configurations (bsc#1237277) to Implement nftables.service for static firewall configurations (bsc#1237277) 2025-03-04 09:11:14 +01:00
jengelh manually merged commit 5edc5339b7 into master 2025-03-04 09:11:23 +01:00
mgerstner commented 2025-03-10 12:55:05 +01:00
Author
Contributor
Copy Link

Now that the change is in Tumbleweed I notice that the behaviour of systemctl start nftables.service is still a bit unfortunate. Even if the service is not configured (config file condition fails) firewalld.service is stopped (because it is now conflicting). This leaves the system without any firewall.

That is more of a systemd issue, though. It shouldn't stop conflicting services if the service to be started doesn't even meet the conditions to be started.

Now that the change is in Tumbleweed I notice that the behaviour of `systemctl start nftables.service` is still a bit unfortunate. Even if the service is not configured (config file condition fails) firewalld.service is stopped (because it is now conflicting). This leaves the system without any firewall. That is more of a systemd issue, though. It shouldn't stop conflicting services if the service to be started doesn't even meet the conditions to be started.
jengelh commented 2025-03-11 17:20:36 +01:00
Owner
Copy Link

Got a system bug report link?

Got a system bug report link?
Sign in to join this conversation.
Reviewers
No Reviewers
Labels
No items
No Label
Milestone
No items
No Milestone
Assignees
Clear assignees
jengelh
No Assignees
2 Participants
Notifications
Due Date
No due date set.
Dependencies

No dependencies set.

Reference: jengelh/nftables#1
No description provided.
Delete Branch "mgerstner/nftables:master"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?