From 71d8541655679f249f4fbd99d287bcbbd0080331205a4d2729db218f5640d740 Mon Sep 17 00:00:00 2001 From: Matthias Gerstner Date: Thu, 27 Feb 2025 12:01:17 +0100 Subject: [PATCH 1/2] Implement nftables.service for static firewall configurations (bsc#1237277) It seems users are missing this service which is not part of the upstream project but present in most other Linux distributions. It allows to setup simple static nftables based firewalls via configuration files. --- README.SUSE | 15 +++++++++++++++ main.nft | 24 ++++++++++++++++++++++++ nftables.changes | 8 ++++++++ nftables.service | 22 ++++++++++++++++++++++ nftables.spec | 27 +++++++++++++++++++++++++++ 5 files changed, 96 insertions(+) create mode 100644 README.SUSE create mode 100755 main.nft create mode 100644 nftables.service diff --git a/README.SUSE b/README.SUSE new file mode 100644 index 0000000..4e10b39 --- /dev/null +++ b/README.SUSE @@ -0,0 +1,15 @@ +Static Firewall Configuration with nftables.service +=================================================== + +SUSE provides an nftables systemd service which allows to setup simple static +firewall rule sets based on configuration files. + +To use this service you need to create the main configuration file in +/etc/nftables/rules/main.nft. A simple template for this can be copied from +/usr/etc/nftables/rules/main.nft. You can split-up the static firewall +configuration into multiple files which are included from the main.nft +configuration file. + +Once the desired static firewall configuration is in place you can test it by +running `systemctl start nftables.service`. To enable the service at boot time +run `systemctl enable nftables.service`. diff --git a/main.nft b/main.nft new file mode 100755 index 0000000..66fcdc3 --- /dev/null +++ b/main.nft @@ -0,0 +1,24 @@ +#!/usr/sbin/nft -f + +# template static firewall configuration file +# +# copy this over to /etc/nftables/rules/main.nft as a starting point for +# configuring a rule set which will be loaded by nftables.service. + +flush ruleset + +table inet filter { + chain input { + type filter hook input priority filter; + } + chain forward { + type filter hook forward priority filter; + } + chain output { + type filter hook output priority filter; + } +} + +# this can be used to split the rule set into multiple smaller files concerned +# with specific topics, like forwarding rules +#include "/etc/nftables/rules/forwarding.nft" diff --git a/nftables.changes b/nftables.changes index 2794039..e76d9e9 100644 --- a/nftables.changes +++ b/nftables.changes @@ -1,3 +1,11 @@ +------------------------------------------------------------------- +Thu Feb 27 11:59:54 UTC 2025 - Matthias Gerstner + +- implement nftables.service for static firewall configurations (bsc#1237277). + It seems users are missing this service which is not part of the upstream + project but present in most other Linux distributions. It allows to setup + simple static nftables based firewalls via configuration files. + ------------------------------------------------------------------- Thu Oct 3 07:00:54 UTC 2024 - Jan Engelhardt diff --git a/nftables.service b/nftables.service new file mode 100644 index 0000000..9debfe6 --- /dev/null +++ b/nftables.service @@ -0,0 +1,22 @@ +[Unit] +Description=nftables static rule set +Documentation=file:/usr/share/doc/packages/nftables/README.SUSE +Wants=network-pre.target +Before=network-pre.target shutdown.target +Conflicts=shutdown.target +DefaultDependencies=no +AssertPathExists=/etc/nftables/rules/main.nft + +[Service] +Type=oneshot +RemainAfterExit=yes +StandardInput=null +ProtectSystem=full +ProtectHome=true +AssertPathExists=/etc/nftables/rules/main.nft +ExecStart=/usr/sbin/nft -f /etc/nftables/rules/main.nft +ExecReload=/usr/sbin/nft -f /etc/nftables/rules/main.nft +ExecStop=/usr/sbin/nft flush ruleset + +[Install] +WantedBy=sysinit.target diff --git a/nftables.spec b/nftables.spec index 4dce635..1d58fcb 100644 --- a/nftables.spec +++ b/nftables.spec @@ -33,6 +33,9 @@ Source: http://ftp.netfilter.org/pub/%name/%name-%version.tar.xz Source2: http://ftp.netfilter.org/pub/%name/%name-%version.tar.xz.sig Source3: %name.keyring Source4: nftables.rpmlintrc +Source5: main.nft +Source6: nftables.service +Source7: README.SUSE BuildRequires: %{python_module pip} BuildRequires: %{python_module setuptools} BuildRequires: %{python_module wheel} @@ -112,6 +115,7 @@ popd pushd py %pyproject_wheel popd +cp %{SOURCE7} . %install b="%buildroot" @@ -124,15 +128,38 @@ rm -f "%buildroot/%_libdir"/*.la mkdir -p "$b/%_docdir/%name/examples" mv -v "$b/%_datadir/nftables"/*.nft "$b/%_docdir/%name/examples/" +# create directories and install files for static firewall setup via nftables.service +install -D -d -m 0755 $b/%{_sysconfdir}/nftables/rules $b/%{_distconfdir}/nftables/rules $b/%{_unitdir} +install -m 0755 %{SOURCE5} $b/%{_distconfdir}/nftables/rules/ +install -m 0644 %{SOURCE6} $b/%{_unitdir}/ + %ldconfig_scriptlets -n libnftables1 +%pre +%service_add_pre nftables.service + +%post +%service_add_post nftables.service + +%preun +%service_del_preun nftables.service + +%postun +%service_del_postun nftables.service + %files %license COPYING %_sysconfdir/nftables/ +%_sysconfdir/nftables/rules %_sbindir/nft %_mandir/man5/*.5* %_mandir/man8/nft* %_docdir/%name/ +%doc README.SUSE +%_distconfdir/nftables +%_distconfdir/nftables/rules +%_distconfdir/nftables/rules/main.nft +%_unitdir/nftables.service %files -n libnftables1 %_libdir/libnftables.so.1* -- 2.45.2 From c434951062ef36d48fe1e4135f8b6f957551f975429cf3365a7e7f8b0d976073 Mon Sep 17 00:00:00 2001 From: Matthias Gerstner Date: Mon, 3 Mar 2025 14:42:04 +0100 Subject: [PATCH 2/2] nftables service improvements - place example config file into /usr/share/doc/packages/nftables - remove duplicate AssertPathExists file from service - add conflicts towards firewalld service to avoid having both active at the same time --- README.SUSE | 2 +- nftables.service | 2 +- nftables.spec | 7 ++----- 3 files changed, 4 insertions(+), 7 deletions(-) diff --git a/README.SUSE b/README.SUSE index 4e10b39..c1dade0 100644 --- a/README.SUSE +++ b/README.SUSE @@ -6,7 +6,7 @@ firewall rule sets based on configuration files. To use this service you need to create the main configuration file in /etc/nftables/rules/main.nft. A simple template for this can be copied from -/usr/etc/nftables/rules/main.nft. You can split-up the static firewall +/usr/share/doc/packages/nftables/main.nft. You can split-up the static firewall configuration into multiple files which are included from the main.nft configuration file. diff --git a/nftables.service b/nftables.service index 9debfe6..7b2be94 100644 --- a/nftables.service +++ b/nftables.service @@ -4,6 +4,7 @@ Documentation=file:/usr/share/doc/packages/nftables/README.SUSE Wants=network-pre.target Before=network-pre.target shutdown.target Conflicts=shutdown.target +Conflicts=firewalld.service DefaultDependencies=no AssertPathExists=/etc/nftables/rules/main.nft @@ -13,7 +14,6 @@ RemainAfterExit=yes StandardInput=null ProtectSystem=full ProtectHome=true -AssertPathExists=/etc/nftables/rules/main.nft ExecStart=/usr/sbin/nft -f /etc/nftables/rules/main.nft ExecReload=/usr/sbin/nft -f /etc/nftables/rules/main.nft ExecStop=/usr/sbin/nft flush ruleset diff --git a/nftables.spec b/nftables.spec index 1d58fcb..65fc508 100644 --- a/nftables.spec +++ b/nftables.spec @@ -129,8 +129,8 @@ mkdir -p "$b/%_docdir/%name/examples" mv -v "$b/%_datadir/nftables"/*.nft "$b/%_docdir/%name/examples/" # create directories and install files for static firewall setup via nftables.service -install -D -d -m 0755 $b/%{_sysconfdir}/nftables/rules $b/%{_distconfdir}/nftables/rules $b/%{_unitdir} -install -m 0755 %{SOURCE5} $b/%{_distconfdir}/nftables/rules/ +install -D -d -m 0755 $b/%{_sysconfdir}/%{name}/rules $b/%{_distconfdir}/%{name}/rules $b/%{_unitdir} +install -m 0755 %{SOURCE5} $b/%{_docdir}/%name/ install -m 0644 %{SOURCE6} $b/%{_unitdir}/ %ldconfig_scriptlets -n libnftables1 @@ -156,9 +156,6 @@ install -m 0644 %{SOURCE6} $b/%{_unitdir}/ %_mandir/man8/nft* %_docdir/%name/ %doc README.SUSE -%_distconfdir/nftables -%_distconfdir/nftables/rules -%_distconfdir/nftables/rules/main.nft %_unitdir/nftables.service %files -n libnftables1 -- 2.45.2