README.SUSE

@@ -0,0 +1,15 @@
+Static Firewall Configuration with nftables.service
+===================================================
+
+SUSE provides an nftables systemd service which allows to setup simple static
+firewall rule sets based on configuration files.
+
+To use this service you need to create the main configuration file in
+/etc/nftables/rules/main.nft. A simple template for this can be copied from
+/usr/share/doc/packages/nftables/main.nft. You can split-up the static firewall
+configuration into multiple files which are included from the main.nft
+configuration file.
+
+Once the desired static firewall configuration is in place you can test it by
+running `systemctl start nftables.service`. To enable the service at boot time
+run `systemctl enable nftables.service`.

main.nft

@@ -0,0 +1,24 @@
+#!/usr/sbin/nft -f
+
+# template static firewall configuration file
+#
+# copy this over to /etc/nftables/rules/main.nft as a starting point for
+# configuring a rule set which will be loaded by nftables.service.
+
+flush ruleset
+
+table inet filter {
+	chain input {
+		type filter hook input priority filter;
+	}
+	chain forward {
+		type filter hook forward priority filter;
+	}
+	chain output {
+		type filter hook output priority filter;
+	}
+}
+
+# this can be used to split the rule set into multiple smaller files concerned
+# with specific topics, like forwarding rules
+#include "/etc/nftables/rules/forwarding.nft"

nftables.changes

@@ -1,3 +1,11 @@
+-------------------------------------------------------------------
+Thu Feb 27 11:59:54 UTC 2025 - Matthias Gerstner <matthias.gerstner@suse.com>
+
+- implement nftables.service for static firewall configurations (bsc#1237277).
+  It seems users are missing this service which is not part of the upstream
+  project but present in most other Linux distributions. It allows to setup
+  simple static nftables based firewalls via configuration files.
+
 -------------------------------------------------------------------
 Thu Oct  3 07:00:54 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
 

nftables.service

@@ -0,0 +1,22 @@
+[Unit]
+Description=nftables static rule set
+Documentation=file:/usr/share/doc/packages/nftables/README.SUSE
+Wants=network-pre.target
+Before=network-pre.target shutdown.target
+Conflicts=shutdown.target
+Conflicts=firewalld.service
+DefaultDependencies=no
+AssertPathExists=/etc/nftables/rules/main.nft
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+StandardInput=null
+ProtectSystem=full
+ProtectHome=true
+ExecStart=/usr/sbin/nft -f /etc/nftables/rules/main.nft
+ExecReload=/usr/sbin/nft -f /etc/nftables/rules/main.nft
+ExecStop=/usr/sbin/nft flush ruleset
+
+[Install]
+WantedBy=sysinit.target

nftables.spec

@@ -33,6 +33,9 @@ Source:         http://ftp.netfilter.org/pub/%name/%name-%version.tar.xz
 Source2:        http://ftp.netfilter.org/pub/%name/%name-%version.tar.xz.sig
 Source3:        %name.keyring
 Source4:        nftables.rpmlintrc
+Source5:        main.nft
+Source6:        nftables.service
+Source7:        README.SUSE
 BuildRequires:  %{python_module pip}
 BuildRequires:  %{python_module setuptools}
 BuildRequires:  %{python_module wheel}
@@ -112,6 +115,7 @@ popd
 pushd py
 %pyproject_wheel
 popd
+cp %{SOURCE7} .
 
 %install
 b="%buildroot"
@@ -124,15 +128,35 @@ rm -f "%buildroot/%_libdir"/*.la
 mkdir -p "$b/%_docdir/%name/examples"
 mv -v "$b/%_datadir/nftables"/*.nft "$b/%_docdir/%name/examples/"
 
+# create directories and install files for static firewall setup via nftables.service
+install -D -d -m 0755 $b/%{_sysconfdir}/%{name}/rules $b/%{_distconfdir}/%{name}/rules $b/%{_unitdir}
+install -m 0755 %{SOURCE5} $b/%{_docdir}/%name/
+install -m 0644 %{SOURCE6} $b/%{_unitdir}/
+
 %ldconfig_scriptlets -n libnftables1
 
+%pre
+%service_add_pre nftables.service
+
+%post
+%service_add_post nftables.service
+
+%preun
+%service_del_preun nftables.service
+
+%postun
+%service_del_postun nftables.service
+
 %files
 %license COPYING
 %_sysconfdir/nftables/
+%_sysconfdir/nftables/rules
 %_sbindir/nft
 %_mandir/man5/*.5*
 %_mandir/man8/nft*
 %_docdir/%name/
+%doc README.SUSE
+%_unitdir/nftables.service
 
 %files -n libnftables1
 %_libdir/libnftables.so.1*