Compare commits
10 Commits
Author | SHA256 | Date | |
---|---|---|---|
84a5379b40 | |||
4581f5921a | |||
9aecff8b4c | |||
|
41436c84e1 | ||
ab9c179ebd | |||
0e32a110ae | |||
ee8a28dc13 | |||
fcf56aa719 | |||
554c6b6a3c | |||
7a847e7093 |
192
0001-tools-add-a-systemd-unit-for-static-rulesets.patch
Normal file
192
0001-tools-add-a-systemd-unit-for-static-rulesets.patch
Normal file
@@ -0,0 +1,192 @@
|
|||||||
|
From d47ba75b254179f07061dd7782b5d73c9991fdc5 Mon Sep 17 00:00:00 2001
|
||||||
|
From: Jan Engelhardt <jengelh@inai.de>
|
||||||
|
Date: Fri, 28 Feb 2025 19:45:01 +0100
|
||||||
|
Subject: [PATCH] tools: add a systemd unit for static rulesets
|
||||||
|
MIME-Version: 1.0
|
||||||
|
Content-Type: text/plain; charset=UTF-8
|
||||||
|
Content-Transfer-Encoding: 8bit
|
||||||
|
References: https://lore.kernel.org/netfilter-devel/20250417145055.2700920-1-jengelh@inai.de/
|
||||||
|
|
||||||
|
There is a customer request (bugreport) for wanting to trivially load a ruleset
|
||||||
|
from a well-known location on boot, forwarded to me by M. Gerstner. A systemd
|
||||||
|
service unit is hereby added to provide that functionality. This is based on
|
||||||
|
various distributions attempting to do same, for example,
|
||||||
|
|
||||||
|
https://src.fedoraproject.org/rpms/nftables/tree/rawhide
|
||||||
|
https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/nftables/nftables.initd
|
||||||
|
https://gitlab.archlinux.org/archlinux/packaging/packages/nftables
|
||||||
|
|
||||||
|
Cc: Matthias Gerstner <matthias.gerstner@suse.com>
|
||||||
|
Cc: Kevin Fenzi <kevin@scrye.com>
|
||||||
|
Cc: Francesco Colista <fcolista@alpinelinux.org>
|
||||||
|
Cc: Sébastien Luttringer <seblu@archlinux.org>
|
||||||
|
---
|
||||||
|
INSTALL | 6 ++++++
|
||||||
|
Makefile.am | 16 ++++++++++++----
|
||||||
|
configure.ac | 10 ++++++++++
|
||||||
|
files/nftables/main.nft | 22 ++++++++++++++++++++++
|
||||||
|
tools/nftables.service.8 | 17 +++++++++++++++++
|
||||||
|
tools/nftables.service.in | 21 +++++++++++++++++++++
|
||||||
|
6 files changed, 88 insertions(+), 4 deletions(-)
|
||||||
|
create mode 100644 files/nftables/main.nft
|
||||||
|
create mode 100644 tools/nftables.service.8
|
||||||
|
create mode 100644 tools/nftables.service.in
|
||||||
|
|
||||||
|
diff --git a/INSTALL b/INSTALL
|
||||||
|
index 5d45ec98..0c48c989 100644
|
||||||
|
--- a/INSTALL
|
||||||
|
+++ b/INSTALL
|
||||||
|
@@ -42,6 +42,12 @@ Installation instructions for nftables
|
||||||
|
The base directory for arch-independent files. Defaults to
|
||||||
|
$prefix/share.
|
||||||
|
|
||||||
|
+ --with-unitdir=
|
||||||
|
+
|
||||||
|
+ Directory for systemd unit files. Defaults to the value obtained from
|
||||||
|
+ pkg-config for systemd.pc, and ${prefix}/lib/systemd/system as a
|
||||||
|
+ fallback.
|
||||||
|
+
|
||||||
|
--disable-debug
|
||||||
|
|
||||||
|
Disable debugging
|
||||||
|
diff --git a/Makefile.am b/Makefile.am
|
||||||
|
index fb64105d..050991f4 100644
|
||||||
|
--- a/Makefile.am
|
||||||
|
+++ b/Makefile.am
|
||||||
|
@@ -375,18 +375,19 @@ dist_pkgdata_DATA = \
|
||||||
|
files/nftables/netdev-ingress.nft \
|
||||||
|
$(NULL)
|
||||||
|
|
||||||
|
-pkgdocdir = ${docdir}/examples
|
||||||
|
+exampledir = ${docdir}/examples
|
||||||
|
|
||||||
|
-dist_pkgdoc_SCRIPTS = \
|
||||||
|
+dist_example_SCRIPTS = \
|
||||||
|
files/examples/ct_helpers.nft \
|
||||||
|
files/examples/load_balancing.nft \
|
||||||
|
files/examples/secmark.nft \
|
||||||
|
files/examples/sets_and_maps.nft \
|
||||||
|
$(NULL)
|
||||||
|
|
||||||
|
-pkgsysconfdir = ${sysconfdir}/nftables/osf
|
||||||
|
+pkgsysconfdir = ${sysconfdir}/${PACKAGE}
|
||||||
|
+osfdir = ${pkgsysconfdir}/osf
|
||||||
|
|
||||||
|
-dist_pkgsysconf_DATA = \
|
||||||
|
+dist_osf_DATA = \
|
||||||
|
files/osf/pf.os \
|
||||||
|
$(NULL)
|
||||||
|
|
||||||
|
@@ -410,3 +411,10 @@ EXTRA_DIST += \
|
||||||
|
|
||||||
|
pkgconfigdir = $(libdir)/pkgconfig
|
||||||
|
pkgconfig_DATA = libnftables.pc
|
||||||
|
+unit_DATA = tools/nftables.service
|
||||||
|
+man_MANS = tools/nftables.service.8
|
||||||
|
+doc_DATA = files/nftables/main.nft
|
||||||
|
+
|
||||||
|
+tools/nftables.service: tools/nftables.service.in ${top_builddir}/config.status
|
||||||
|
+ ${AM_V_GEN}${MKDIR_P} tools
|
||||||
|
+ ${AM_V_at}sed -e 's|@''sbindir''@|${sbindir}|g;s|@''pkgsysconfdir''@|${pkgsysconfdir}|g' <${srcdir}/tools/nftables.service.in >$@
|
||||||
|
diff --git a/configure.ac b/configure.ac
|
||||||
|
index a4552df7..805af74a 100644
|
||||||
|
--- a/configure.ac
|
||||||
|
+++ b/configure.ac
|
||||||
|
@@ -114,6 +114,16 @@ AC_CHECK_DECLS([getprotobyname_r, getprotobynumber_r, getservbyport_r], [], [],
|
||||||
|
#include <netdb.h>
|
||||||
|
]])
|
||||||
|
|
||||||
|
+AC_ARG_WITH([unitdir],
|
||||||
|
+ [AS_HELP_STRING([--with-unitdir=PATH], [Path to systemd service unit directory])],
|
||||||
|
+ [unitdir="$withval"],
|
||||||
|
+ [
|
||||||
|
+ unitdir=$("$PKG_CONFIG" systemd --variable systemdsystemunitdir 2>/dev/null)
|
||||||
|
+ AS_IF([test -z "$unitdir"], [unitdir='${prefix}/lib/systemd/system'])
|
||||||
|
+ ])
|
||||||
|
+AC_SUBST([unitdir])
|
||||||
|
+
|
||||||
|
+
|
||||||
|
AC_CONFIG_FILES([ \
|
||||||
|
Makefile \
|
||||||
|
libnftables.pc \
|
||||||
|
diff --git a/files/nftables/main.nft b/files/nftables/main.nft
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..d3171fd3
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/files/nftables/main.nft
|
||||||
|
@@ -0,0 +1,22 @@
|
||||||
|
+#!/usr/sbin/nft -f
|
||||||
|
+
|
||||||
|
+# template static firewall configuration file
|
||||||
|
+#
|
||||||
|
+# copy this over to /etc/nftables/rules/main.nft as a starting point for
|
||||||
|
+# configuring a rule set which will be loaded by nftables.service.
|
||||||
|
+
|
||||||
|
+table inet filter {
|
||||||
|
+ chain input {
|
||||||
|
+ type filter hook input priority filter;
|
||||||
|
+ }
|
||||||
|
+ chain forward {
|
||||||
|
+ type filter hook forward priority filter;
|
||||||
|
+ }
|
||||||
|
+ chain output {
|
||||||
|
+ type filter hook output priority filter;
|
||||||
|
+ }
|
||||||
|
+}
|
||||||
|
+
|
||||||
|
+# this can be used to split the rule set into multiple smaller files concerned
|
||||||
|
+# with specific topics, like forwarding rules
|
||||||
|
+#include "/etc/nftables/rules/forwarding.nft"
|
||||||
|
diff --git a/tools/nftables.service.8 b/tools/nftables.service.8
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..bb88dc46
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tools/nftables.service.8
|
||||||
|
@@ -0,0 +1,17 @@
|
||||||
|
+.TH nftables.service 8 "" "nftables" "nftables admin reference"
|
||||||
|
+.SH Name
|
||||||
|
+nftables.service \(em Static Firewall Configuration with nftables.service
|
||||||
|
+.SH Description
|
||||||
|
+An nftables systemd service is provided which allows to setup static firewall
|
||||||
|
+rulesets based on a configuration file.
|
||||||
|
+.PP
|
||||||
|
+To use this service, you need to create the main configuration file in
|
||||||
|
+/etc/nftables/rules/main.nft. A template for this can be copied from
|
||||||
|
+/usr/share/doc/nftables/main.nft. Alternatively, `nft list ruleset >main.nft`
|
||||||
|
+could be used to save the active configuration (if any) to the file.
|
||||||
|
+.PP
|
||||||
|
+Once the desired static firewall configuration is in place, it can be tested by
|
||||||
|
+running `systemctl start nftables.service`. To enable the service at boot time,
|
||||||
|
+run `systemctl enable nftables.service`.
|
||||||
|
+.SH See also
|
||||||
|
+\fBnft\fP(8)
|
||||||
|
diff --git a/tools/nftables.service.in b/tools/nftables.service.in
|
||||||
|
new file mode 100644
|
||||||
|
index 00000000..2ac7e6fd
|
||||||
|
--- /dev/null
|
||||||
|
+++ b/tools/nftables.service.in
|
||||||
|
@@ -0,0 +1,21 @@
|
||||||
|
+[Unit]
|
||||||
|
+Description=nftables static rule set
|
||||||
|
+Documentation=man:nftables.service(8)
|
||||||
|
+Wants=network-pre.target
|
||||||
|
+Before=network-pre.target shutdown.target
|
||||||
|
+Conflicts=shutdown.target
|
||||||
|
+DefaultDependencies=no
|
||||||
|
+ConditionPathExists=@pkgsysconfdir@/rules/main.nft
|
||||||
|
+
|
||||||
|
+[Service]
|
||||||
|
+Type=oneshot
|
||||||
|
+RemainAfterExit=yes
|
||||||
|
+StandardInput=null
|
||||||
|
+ProtectSystem=full
|
||||||
|
+ProtectHome=true
|
||||||
|
+ExecStart=@sbindir@/nft 'flush ruleset; include "@pkgsysconfdir@/rules/main.nft"'
|
||||||
|
+ExecReload=@sbindir@/nft 'flush ruleset; include "@pkgsysconfdir@/rules/main.nft"'
|
||||||
|
+ExecStop=@sbindir@/nft flush ruleset
|
||||||
|
+
|
||||||
|
+[Install]
|
||||||
|
+WantedBy=sysinit.target
|
||||||
|
--
|
||||||
|
2.49.0
|
||||||
|
|
@@ -1,3 +0,0 @@
|
|||||||
version https://git-lfs.github.com/spec/v1
|
|
||||||
oid sha256:a3c304cd9ba061239ee0474f9afb938a9bb99d89b960246f66f0c3a0a85e14cd
|
|
||||||
size 971968
|
|
Binary file not shown.
BIN
nftables-1.1.4.tar.xz
(Stored with Git LFS)
Normal file
BIN
nftables-1.1.4.tar.xz
(Stored with Git LFS)
Normal file
Binary file not shown.
BIN
nftables-1.1.4.tar.xz.sig
Normal file
BIN
nftables-1.1.4.tar.xz.sig
Normal file
Binary file not shown.
@@ -1,3 +1,82 @@
|
|||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Aug 6 15:50:11 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
|
||||||
|
|
||||||
|
- Update to release 1.1.4
|
||||||
|
* Add conntrack information to monitor trace command.
|
||||||
|
* Add a 'check' fib result to check for routes.
|
||||||
|
* Better error reporting with re-declarations set/map with
|
||||||
|
different types.
|
||||||
|
* Restore meta hour matching on ranges spanning date boundaries,
|
||||||
|
e.g. `... meta hour "21:00"-"02:00"`
|
||||||
|
* Display number of set elements in rule listings.
|
||||||
|
* Allow deleting maps via their handle.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Apr 22 11:48:56 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
|
||||||
|
|
||||||
|
- Update to release 1.1.3
|
||||||
|
* Fix incorrect bytecode for vlan pcp mangling from netdev family
|
||||||
|
chains such as ingress/egress: `... vlan pcp set 6 counter`
|
||||||
|
* Fix bogus element in large concatenated set ranges, leading to:
|
||||||
|
``16777216 . 00:11:22:33:44:55 . 10.1.2.3 comment "123"``
|
||||||
|
instead of:
|
||||||
|
``"lo" . 00:11:22:33:44:55 . 10.1.2.3 comment "123"``
|
||||||
|
* Restore set auto-merge feature with timeouts, disabled in the
|
||||||
|
previous v1.1.2 release.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Mon Apr 14 20:11:18 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
|
||||||
|
|
||||||
|
- Update to release 1.1.2
|
||||||
|
* Allow for expressing protocol dependency on sets.
|
||||||
|
* Support for more advanced bitwise operations with statements.
|
||||||
|
* Set element auto-merge now skips elements with
|
||||||
|
timeout/expiration.
|
||||||
|
* Memory footprint reduction for set elements.
|
||||||
|
* Updated `nft monitor` to report flowtable events.
|
||||||
|
* Support for merging bitmask matching in set/map with
|
||||||
|
-o/--optimize.
|
||||||
|
* Improved MPTCP support with symbol table for subtypes.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Sat Mar 8 21:24:40 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
|
||||||
|
|
||||||
|
- Update 0001-tools-add-a-systemd-unit-for-static-rulesets.patch
|
||||||
|
from new submission.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Tue Mar 4 08:01:21 UTC 2025 - Jan Engelhardt <jengelh@inai.de>
|
||||||
|
|
||||||
|
- Add 0001-tools-add-a-systemd-unit-for-static-rulesets.patch
|
||||||
|
[boo#1237277]
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Thu Oct 3 07:00:54 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
|
||||||
|
|
||||||
|
- Update to release 1.1.1
|
||||||
|
* Reduce netlink cache dependencies to speed up incremental
|
||||||
|
updates.
|
||||||
|
* Allow zero burst in byte ratelimiter expression.
|
||||||
|
* Fix double-free when users call nft_ctx_clear_vars() followed
|
||||||
|
by nft_ctx_free().
|
||||||
|
* Document that the tproxy statement is non-terminal (unlike in
|
||||||
|
iptables). This allows for tproxy+log and tproxy+mark combos,
|
||||||
|
see man nft(8) for details.
|
||||||
|
* Add egress support for the `list hooks` subcommand.
|
||||||
|
|
||||||
|
-------------------------------------------------------------------
|
||||||
|
Wed Jul 17 02:13:42 UTC 2024 - Jan Engelhardt <jengelh@inai.de>
|
||||||
|
|
||||||
|
- Update to release 1.1.0
|
||||||
|
* Restore compatibility set element dump with <= 0.9.8
|
||||||
|
* Disallow empty interface names
|
||||||
|
* Restore rule replace command
|
||||||
|
* Search for group, rt_mark, rt_realms at
|
||||||
|
/etc/iproute2, /usr/share/iproute2
|
||||||
|
* Resolve some timezone issues
|
||||||
|
* Support for variables in map expressions
|
||||||
|
* VLAN support
|
||||||
|
|
||||||
-------------------------------------------------------------------
|
-------------------------------------------------------------------
|
||||||
Thu Jan 4 08:04:39 UTC 2024 - Dirk Müller <dmueller@suse.com>
|
Thu Jan 4 08:04:39 UTC 2024 - Dirk Müller <dmueller@suse.com>
|
||||||
|
|
||||||
|
120
nftables.keyring
120
nftables.keyring
@@ -1,64 +1,64 @@
|
|||||||
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
-----BEGIN PGP PUBLIC KEY BLOCK-----
|
||||||
|
|
||||||
mQINBF+HdQgBEACzteJUJGtj3N6u5mcGh4Nu/9GQfwrrphZuI7jto2N6+ZoURded
|
mQINBGcLlIQBEADH+pWx2d5XgY2JCOHTVaOpbNlNfp1k9Ul0W5zaZ7EFHIGSj06E
|
||||||
660mFLnax7wgIE8ugAa085jwFWbFY3FzGutUs/kDmnqy9WneYNBLIAF3ZTFfY+oi
|
o3+OM0eI6+d51PnqwRE+WbV4T3ooGnfgXN4fmKgq2TwkxlhKeFSzNGMuzzuoEwD+
|
||||||
V1C09bBlHKDj9gSEM2TZ/qU14exKdSloqcMKSdIqLQX27w/D6WmO1crDjOKKN9F2
|
2cvSF9VIrwif1o9oa9KMNfKTY/qjuWZS0QWZ08thPAf/tWpoaA3gaqYQUshj5G3w
|
||||||
zjc3uLjo1gIPrY+Kdld29aI0W4gYvNLOo+ewhVC5Q6ymWOdR3eKaP2HIAt8CYf0t
|
nTMdYlHUj7wkZCMg63tDygAe/7fDT3zurKCMbFoyiyQkp7V1SLxZpvuyuyPH6HtQ
|
||||||
Sx8ChHdBvXQITDmXoGPLTTiCHBoUzaJ/N8m4AZTuSUTr9g3jUNFmL48OrJjFPhHh
|
P5xcbXsp5ots0BgN+BplMX89DrspxJXqi7AsTf4QnC78KbchMJJxLKZQS759dQHF
|
||||||
KDY0V59id5nPu4RX3fa/XW+4FNlrthA5V9dQSIPh7r7uHynDtkcCHT5m4mn0NqG3
|
qHUTb3YdlxXFou6Si5LiBzvmqBRFj6m/WV1a8mDy5fPDkOLoTCUFHLmgvYHPJdtK
|
||||||
dsUqeYQlrWKCVDTfX/WQB3Rq1tgmOssFG9kZkXcVTmis3KFP1ZAahBRB33OJgSfi
|
5EqNkwYAbSnZKe9aSeVa4XhaZqyyQb9vIsKyOnwdJ/l222J95qHQapZSLcRdqgQz
|
||||||
WKc/mWLMEQcljbysbJzq74Vrjg44DNK7vhAXGoR35kjj5saduxTywdb3iZhGXEsg
|
ZgxuEdOHacEaJ1IJ21CE8EtJfFA5DMZtkZNIGF3OFlXhw7YxJoPgsodtlVspQsfX
|
||||||
9zqV0uOIfMQsQJQCZTlkqvZibdB3xlRyiCwqlf1eHB2Vo7efWbRIizX2da4c5xUj
|
u2FGP9yg0fd4zLgHnotKqfJQ9ZjMB6bbJUd6Au9jv0SiM+kVGeVfyaaX7TDeQ3TT
|
||||||
+IL1eSPmTV+52x1dYXpn/cSVKJAROtcSmwvMRyjuGOcTNtir0XHCxC5YYBow6tKR
|
/e44uFvkHkbYFQPcqsTalxtre6v7pMG2iu2mbkhQOC7qbL5MKMSdA93w/lF7w20b
|
||||||
U1hrFiulCMH80HeS+u/g4SpT4lcv+x0DlN5BfWQuN5k5ZzwKb6EQs092qQARAQAB
|
cwyDavEoKk9vgDjSkVjaffvdy4cESa5JY4lM4ZmzoujnAZMwbzQeGcBtqQARAQAB
|
||||||
tCxOZXRmaWx0ZXIgQ29yZSBUZWFtIDxjb3JldGVhbUBuZXRmaWx0ZXIub3JnPokC
|
tCxOZXRmaWx0ZXIgQ29yZSBUZWFtIDxjb3JldGVhbUBuZXRmaWx0ZXIub3JnPokC
|
||||||
VAQTAQoAPhYhBDfZZKzASYHHVQD7m9Vdl4qKFCDkBQJfh3UIAhsDBQkHhM4ABQsJ
|
VAQTAQoAPhYhBIxfcUahdXpl4kIqlNcNGmZqzyshBQJnC5SEAhsDBQkHhM4ABQsJ
|
||||||
CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJENVdl4qKFCDk0msQAJTIK8TLHw2IJDc6
|
CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJENcNGmZqzyshRE4P/AknD3DAWuCT7x7L
|
||||||
+ZfUJc+znSNwskO+A4lwvb1vRY5qFV+CA2S1eUS4HGDWDT0sPKie6Nx4+FBczkWd
|
LFIUCkfl7WUou9zMQKy62JRK/+/lNyG1dkmvBu7XWLl/+IRv1uIb25I4xwaze6GF
|
||||||
RA+eaKDqQeS5Vzc2f0bl74un91h7yE8O2NsVnpL166MnAAk3/ACjHsZX2PzF12F6
|
8yhZDNXZLhUjComr864fMEdKNdXInAClLRNY0InkFmHw/SizvwDld4PgsLzoS+qL
|
||||||
4stvGQFpjZRWItj0I6bvPY6CTtqVPB98a6RpdbS9kGxCCMrL3CFGDXGSjXes5KwN
|
5JY4FBlYEnd4wlIwH/w3gPycmdmQNVOjeWJhDrYKGLnjolpGRQPYRME4kjasWPbK
|
||||||
IvngmVB36wjb3QgEtQIv13jrWFfiXeuieqMRyC6Z3KNYVcvis34eGxPFD9MHrK+w
|
AWG/lpINQEB1DgtK8e6kcbUA8wSU6MMEsJjPY0o7lr9NvPfRpPXq34LjoFUXk3Hi
|
||||||
bdw3KzMBJd7hMoVRl32Q13T/PX8H3pqWMqKaL41wHUswRt0IQjNZnRvRnlJ0VDFf
|
Bt8OuVVMo+wTmlZWkXdknFKS4IPVxUA53oJOVMFW8divmF/l676KBogSnczoX4vR
|
||||||
Wep/3dFK+uQbdABuiwCiRli5mWeOMCP+qJodP1OZSGqg0VwZWUGdCGG5+qIhngOj
|
VW8sgDEKqb0NicKWJ2Fou+/KueY5OXsO8aZrZtXOsXIAMberdrNDYhyTUSYF8mZF
|
||||||
QVomvJ7N4eRLU3xuPVjLoBeHzvViUPpYtWQ/YiZK5rWTJHhu88xZaysFJRaV+Uz3
|
RdL6Jcm5GbQB/zOQElgzMwPQq5AD7SkziMzGOusWjqGmu9qphed/FimVbyRhMl5B
|
||||||
wPkeqdArRRXl1Tpy+cKy7D5BZAr7OjT1wboon23IM2DJRurbaHD8blMsjZ07pbvb
|
uDvGHthhy1KlPkqVcddN6i3/Kd/AMqXAuWMZH9FXJkUUWe+VAyeNHfEuBtSK2rqE
|
||||||
4hdpiE6mqq7CYskDz2UGTaFfEW4bFnKtvKTXEnmcqc4mWcr2z9BBYouGmcFczgET
|
zf8TYGg5Gz+oNspWuqEyWUwoH7eQkRx2GIbwu2rwcIzrh8L0rsyu+6FNNHnQfnNq
|
||||||
tE02XejmExXV2RPUtXfLuNIbVpuXG1qhzNuXAfm+S/68XDSFrwyK8/Dgq5ga0iIP
|
ytbE888dxKkXeJ5T09Pp/hPwkNM8X8ZLcTTsAknrvqLNp2As49dP6iJwysfYLf/v
|
||||||
n8Uvz12Xu/Qde+NicogLNWF90QJ2iQIzBBABCgAdFiEEwJ2yBj8dcDS6YVKtq0ZV
|
3Cyvz23JNeSQiTcC4YfKLs4LtCFkiQIzBBABCgAdFiEEN9lkrMBJgcdVAPub1V2X
|
||||||
oSbSkuQFAl+HdTEACgkQq0ZVoSbSkuSrmhAAi64OqYjb2ZbAJbFAPM6pijyys6Y9
|
iooUIOQFAmcLlJ0ACgkQ1V2XiooUIOQGJRAAsz/jYoNkSAhzvrY1t/5kSaa3Hyqi
|
||||||
o8ZyLoCRCUXNrjWkNIozTgmj5fm0ECrUXKyrB6OJhTvaRXmqLcBwWOAnP1v7wb+S
|
wpaJNIb6YCNT9JFlEvfsIlikjK28I+LNqVrWoLZyX1np8h0AGfNUPo/rLzVXzqZ/
|
||||||
ZhEwP0n6E1mZW0t1Qt0xX8yifM5Tpvy+757OSrsuoRpXwwz4Ubuc6G4N/McoRSfU
|
UHZi5AjzXM6BVnR84LahFVVLISBtjt3DvY4xvl8cIh03ShJe/yAKIXZUbxXevtnj
|
||||||
tVUcz3sKF8hcbETD/hVZb9Qfv0ZjQxu8LiBfKfgy2Eg8yExTdO027hYqQc5q2HEp
|
M0/5bLaLjlVf3KldR+gFjUaTT1nxfkQnzxbk2yKe+1tuQzFsYPLG9Elzyagb4QYm
|
||||||
HRjD2PMyI33V8KqffWn0AkofweOOFxg1ePV5X9M8rYP+k/2gjPkrrvnZgF/4SxDM
|
97CTxim3QcO0qWweoeusBqCkh7qD/ght76JrSnzq859XS//2jaq3A5ZsX5UJk5/E
|
||||||
FATmHaIbO3zEQg+u2f1mVCZASBBN1MLth7dMOoClHBmxnQ8uapRg9GNxs7TnXmV/
|
FkzL4zersQZwQE10BByBBJbxC8DzMuGeV+eTVVHKU81cEnzZFxfyOtQBD+oHBauW
|
||||||
diZZbqLf6i9bW/scvWEIdM8EGKpbGjdWIlgQJTIuz3seB+9zOdq9L3uTQWHnYLid
|
IC/v509TiH4qhZshJwcznsDZK1xAxxm3mryVtHbfSDSqzc5r/kNQt9mijD6wdsRb
|
||||||
R3YkyOsBRqQvM7Gb3zYgvlPjZ+L2FeGg5rD/eeLbv+k027E0TSAgtHoSA2pVTDDK
|
0yQy1P2xkk1zyvOw3BRI2NVXq6+642cp21tjsY136JT/3a6KwIlIIdzIUqejbLoF
|
||||||
uqCXVKfmk1I0SO83L9teBblxed07LeVaS9/uK00rWM/TM1bwogfF/4ZEsmAWznzv
|
GgGZPJiQXthfmLpDgvduD6YgaSHyhtJesX3SIGvYBdCGT69blrB7lHazYRE/xKNu
|
||||||
Xan/QmrYNgK3C3AZ4pMX7pGCGV1w93Fw3tUzaEJeS2LlsiL5aPOF63b/DqM6W2nl
|
bhnVzsaWlOXg52ChAMzsAAi5DV1669xUqRgj7zJHUq72bItZWdAvDSTIrQB4z7u8
|
||||||
UqGjKTdVLuF+JgoRH5U2wCyHYhDFm+CaFsYUu2Jf5hTmVWOR3anBoXy6Ty8SoV8q
|
QW+XZsveWM2sKjzpLZjQaxdS7dFvGepYY5liA01w7Bx2lU75ejgaWrm/hlaT//RD
|
||||||
KxtKpmKmIdPhDe65Ag0EX4d1CAEQANJMZApYzeeLrc7Rs6fGDK4Z3ejEST+aq7vO
|
Al9IQzw14mOtm0e5Ag0EZwuUhAEQANmO+fv67llu3nOZh9mcTbKa0MTT6cNjpEVU
|
||||||
RT9YEppRBG1QoUDBuNodAFxIWM6SpwvN7X9AZeIML2EOjDabF5Q6RNHbwODyLDYc
|
3MDImbN7pKTc/P+s6TVYBYn1q1U0XTXQlfh2HGdrLebAOdWW0Wcz4Kj9oOlRHOAR
|
||||||
wmqtWh0NNpK85fXwDgcLOQW+dPimsk3ni1crXhhjZgs6syb9yM/pDi0Tf7wzNZt0
|
yq3mRzb9hiCB89mJcw5xNIn83d5L/IJqONSaVLKnTwfwnTVaCJYuF5yIqDMOSXgS
|
||||||
0p736zlpQPMORfO+mFgac0FVt/GQsTdIwTBzZ36fcV3W8iPH334Sqsatp617R+z+
|
C3sbGLx/yEchAhQEWUG8nm9WTybFfq98mFrHEKRGsSgfCHq6KMNn9NuhW149ZK+K
|
||||||
q2alH8Vynz12iHi2oJFtmTxhghCROPcLWz3XMKv9A7BfuZeE0k+pK7xnBKrpZzKU
|
klPXZqFyDoRHdyivt9j9hfA0lr4t6sfXEfJedzjNO2f0Z8r2sQhmw3ykYDkzEF8I
|
||||||
k1j2uzTKzV2Bquo5HNDsy9PgQn16BlXVrxdHfQnBz2w67aHMKnPD/v+K81oxtnuk
|
zkgiik1Ke4+TmpD/4uL/hfgbkoVxZV6gI3M9rqs5o1glAuSFjsrGyog1EkUXplST
|
||||||
pwBAT8Wovkyy1VTLhQH5F0y5bpQrVH/Lwq0/q421hfD3iPHtb2tC1heT9ze/sqkY
|
Qn4ea/vQ6t1iBkTb2r3qzhK+VL7GWlvZa9DGq8btNAiOjKKqa0+3zRTXyPJAdMQM
|
||||||
plctFb81fx3o8xcBpvuIaTB3URptf8JNvh5KjETZFMQvAddq8oYovoKu+Z/585uC
|
X+FBAhmaHJoylArEHdzv5haB7rv0aGjKV4O1ifonSGE2pllmSDbTO3exIeslLgDh
|
||||||
qwO0Fohpw9qRwmhq7UBvGDVAVgo6kKjMW2Z9U3OnfggrDCytCIZh8eLNagfRL2cu
|
5GqVmQW30K5JvecKnb871c0utzRLHBF34HOYgRWBcl18DGD+SzXKj1//+4AatcAB
|
||||||
iq8Sx+cGGt1zoCPhjDN1MaNt/KHm8Gxr+lP+RxH3Et3pEX6mmhSCaU4wr0W5Bf3p
|
woNJHTEh6N3/mD3fJyWkyMwLJzo1x43Pmm1DkzioO9VMSxG7ReaH9WRDty3R83gT
|
||||||
jEtiOwnqajisBQCHh49OGiV8Vg9uQN5GpLpPpbvnGS4vq8jdj6p3gsiS2F7JMy7O
|
njEI0CDkG7m0nXctrsDcmBCYMSnvriWVr7kNYQ9tSi9WUa8Cs0xCmy49fF+7ihIl
|
||||||
ysBENBkXABEBAAGJAjwEGAEKACYWIQQ32WSswEmBx1UA+5vVXZeKihQg5AUCX4d1
|
yANR2aMrABEBAAGJAjwEGAEKACYWIQSMX3FGoXV6ZeJCKpTXDRpmas8rIQUCZwuU
|
||||||
CAIbDAUJB4TOAAAKCRDVXZeKihQg5NMIEACBdwXwDMRB8rQeqNrhbh7pjbHHFmag
|
hAIbDAUJB4TOAAAKCRDXDRpmas8rIZPuD/4qYhAdmCtaicOjeuMI0EhKA0O0cnXv
|
||||||
8bPvkmCq/gYGx9MQEKFUFtEGNSBh6m5pXr9hJ9HD2V16q9ERbuBcA6wosz4efQFB
|
BRwKXKGISZ6bt/f5fify78NQ4VdQzcpsRk1VvaEHRF5H+qxCQJ8MdzKcYpolCphj
|
||||||
bbage7ZSECCN+xMLirQGRVbTozu2eS8FXedH0X9f0JWLDGWwRg+pAqSOtuFjHhYM
|
ir1gE+zNP7gtzH4HOBzz3/q6GK5HmqwWth3X35ySrgrhnUZZX+plm9gRIRIqmijh
|
||||||
jVpwbH/s71BhH84x5RgWezh2BWLbP3UuY7JtWNAvAaeo53Js2dzzgjDopPis4qZR
|
hdDp/3/2FcskQzr9UvIQDB14TbbSVAsDx5cQUM5F1nS1AAJNSrebuEcBeeM0N1HP
|
||||||
rLR9cTGjqa6ZTc/PlLfaCsm6rGBlNx/bFJjz75+yn7vMQa47fOBt4qfriHX7G/Tg
|
tqWmcJuAHtTlk+K5yk02cgbP9926vlty1uI46UyI4t/xOxmIY6gXlcSMbBnVmB0s
|
||||||
3s8xsQSLEm3IBEYh27hoc9ZD45EXgm9ZiGA21t9v1jA27yTVaUrPbC40iDv/CMcQ
|
E+sKJTE7QrDpRRNiseCNLZcr/TNp9lrFpaUXz/JwXc+c1VC8UmARk9NLHsfoGz5H
|
||||||
7N2Y1sJRvmrd+2pKxtNNutujjwgBguo5bKK253R5Hy0a+NzK2LSc/GmR8EJJEwW1
|
fvhiUwl96wtvu1YKIev9nfVp1bb3/XeNAVJd+hNxOlkv68s3feutvv7vQR14E8cv
|
||||||
7r6road7Ss6YImCZExeY+CAW0FEzwQpmqfOdlusvIyk4x4r12JH8Q8NWHMzU3Ym/
|
CVTXK7aAZKkWJl2n8pPohsXs5vwrsG36oFSH98jehLtzLrpgtWj6N7U8SWhI9JlT
|
||||||
yqdopn/SCwCfXJsL4/eHLCaWuyiWjljNa7MwPDITx2ZPRE5QEqCqi4gaDWXyVHt8
|
EaIpEL/C1foVJeSZs8Tq1sqYaw81lovDFk8wuS1eFhWeEVodJQsfCPBgsQGZ46oZ
|
||||||
leGE1G3zoXNJogWhDswh105UnlZEEfOvbHbaxgWPjLV/xkuHhVlaqdyXbTExrgK6
|
gWz3AU3KrB4ruNxjkJJxfgKu39pHDrv3o5ZufAHoIAHRdPTPlcH1Wi/1LLgLqHVC
|
||||||
U2wevNS03dBuQ6bjNIbMIt9ulbiBV8MJWR0PZtnNJ958f1QXC4GT+L3FG1g5Jtz+
|
9+i7N1ClsO1/VgtYmZwzxWxsEJOcE2+vOROoVzgMh5lGhCLh6/3VTL96hIjcMp4W
|
||||||
rlbu70nh2kSJrg==
|
oD8ElPP+m/v6iA==
|
||||||
=wukb
|
=70vD
|
||||||
-----END PGP PUBLIC KEY BLOCK-----
|
-----END PGP PUBLIC KEY BLOCK-----
|
||||||
|
@@ -1,7 +1,7 @@
|
|||||||
#
|
#
|
||||||
# spec file for package nftables
|
# spec file for package nftables
|
||||||
#
|
#
|
||||||
# Copyright (c) 2024 SUSE LLC
|
# Copyright (c) 2025 SUSE LLC
|
||||||
#
|
#
|
||||||
# All modifications and additions to the file contributed by third parties
|
# All modifications and additions to the file contributed by third parties
|
||||||
# remain the property of their copyright owners, unless otherwise agreed
|
# remain the property of their copyright owners, unless otherwise agreed
|
||||||
@@ -22,18 +22,18 @@
|
|||||||
%define pyversion 0.1
|
%define pyversion 0.1
|
||||||
|
|
||||||
Name: nftables
|
Name: nftables
|
||||||
Version: 1.0.9
|
Version: 1.1.4
|
||||||
Release: 0
|
Release: 0
|
||||||
Summary: Userspace utility to access the nf_tables packet filter
|
Summary: Userspace utility to access the nf_tables packet filter
|
||||||
License: GPL-2.0-only
|
License: GPL-2.0-only
|
||||||
Group: Productivity/Networking/Security
|
Group: Productivity/Networking/Security
|
||||||
URL: https://netfilter.org/projects/nftables/
|
URL: https://netfilter.org/projects/nftables/
|
||||||
|
|
||||||
#Git-Clone: git://git.netfilter.org/nftables
|
#Git-Clone: git://git.netfilter.org/nftables
|
||||||
Source: http://ftp.netfilter.org/pub/%name/%name-%version.tar.xz
|
Source: http://ftp.netfilter.org/pub/%name/%name-%version.tar.xz
|
||||||
Source2: http://ftp.netfilter.org/pub/%name/%name-%version.tar.xz.sig
|
Source2: http://ftp.netfilter.org/pub/%name/%name-%version.tar.xz.sig
|
||||||
Source3: %name.keyring
|
Source3: %name.keyring
|
||||||
Source4: nftables.rpmlintrc
|
Source4: nftables.rpmlintrc
|
||||||
|
Patch1: 0001-tools-add-a-systemd-unit-for-static-rulesets.patch
|
||||||
BuildRequires: %{python_module pip}
|
BuildRequires: %{python_module pip}
|
||||||
BuildRequires: %{python_module setuptools}
|
BuildRequires: %{python_module setuptools}
|
||||||
BuildRequires: %{python_module wheel}
|
BuildRequires: %{python_module wheel}
|
||||||
@@ -48,7 +48,7 @@ BuildRequires: python-rpm-macros
|
|||||||
BuildRequires: pkgconfig(jansson)
|
BuildRequires: pkgconfig(jansson)
|
||||||
BuildRequires: pkgconfig(libedit)
|
BuildRequires: pkgconfig(libedit)
|
||||||
BuildRequires: pkgconfig(libmnl) >= 1.0.4
|
BuildRequires: pkgconfig(libmnl) >= 1.0.4
|
||||||
BuildRequires: pkgconfig(libnftnl) >= 1.2.6
|
BuildRequires: pkgconfig(libnftnl) >= 1.3.0
|
||||||
BuildRequires: pkgconfig(xtables) >= 1.6.1
|
BuildRequires: pkgconfig(xtables) >= 1.6.1
|
||||||
%python_subpackages
|
%python_subpackages
|
||||||
|
|
||||||
@@ -93,9 +93,11 @@ BuildArch: noarch
|
|||||||
Python bindings for nftables
|
Python bindings for nftables
|
||||||
|
|
||||||
%prep
|
%prep
|
||||||
%autosetup -p1
|
%setup -q
|
||||||
# remove unused shebang
|
# remove unused shebang
|
||||||
sed -i '1{/bin/d}' py/src/nftables.py
|
sed -i '1{/bin/d}' py/src/nftables.py
|
||||||
|
rm -f files/nftables/main.nft
|
||||||
|
%patch -P 1 -p1
|
||||||
|
|
||||||
%build
|
%build
|
||||||
autoreconf -fi
|
autoreconf -fi
|
||||||
@@ -103,38 +105,51 @@ mkdir bin
|
|||||||
ln -s "%_bindir/docbook-to-man" bin/docbook2x-man
|
ln -s "%_bindir/docbook-to-man" bin/docbook2x-man
|
||||||
export PATH="$PATH:$PWD/bin"
|
export PATH="$PATH:$PWD/bin"
|
||||||
mkdir obj
|
mkdir obj
|
||||||
pushd obj/
|
cd obj/
|
||||||
%define _configure ../configure
|
%define _configure ../configure
|
||||||
%configure --disable-silent-rules --disable-static --docdir="%_docdir/%name" \
|
%configure --disable-silent-rules --disable-static --docdir="%_docdir/%name" \
|
||||||
--includedir="%_includedir/%name" --with-json \
|
--includedir="%_includedir/%name" --with-json \
|
||||||
--enable-python --with-python-bin="$(which python3)"
|
--enable-python --with-python-bin="$(which python3)"
|
||||||
%make_build
|
%make_build
|
||||||
popd
|
cd -
|
||||||
pushd py
|
cd py
|
||||||
%pyproject_wheel
|
%pyproject_wheel
|
||||||
popd
|
cd -
|
||||||
|
|
||||||
%install
|
%install
|
||||||
b="%buildroot"
|
b="%buildroot"
|
||||||
%make_install -C obj
|
%make_install -C obj
|
||||||
pushd py
|
perl -i -lpe 's{^(Conflicts=.*)}{$1 firewalld.service}' "$b/%_unitdir/nftables.service"
|
||||||
|
cd py
|
||||||
%pyproject_install
|
%pyproject_install
|
||||||
%python_expand %fdupes %buildroot/%{$python_sitelib}
|
%python_expand %fdupes %buildroot/%{$python_sitelib}
|
||||||
popd
|
|
||||||
rm -f "%buildroot/%_libdir"/*.la
|
rm -f "%buildroot/%_libdir"/*.la
|
||||||
mkdir -p "$b/%_docdir/%name/examples"
|
mkdir -p "$b/%_docdir/%name/examples"
|
||||||
mv -v "$b/%_datadir/nftables"/*.nft "$b/%_docdir/%name/examples/"
|
mv -v "$b/%_datadir/nftables"/*.nft "$b/%_docdir/%name/examples/"
|
||||||
|
|
||||||
%post -n libnftables1 -p /sbin/ldconfig
|
%ldconfig_scriptlets -n libnftables1
|
||||||
%postun -n libnftables1 -p /sbin/ldconfig
|
|
||||||
|
%pre
|
||||||
|
%service_add_pre nftables.service
|
||||||
|
|
||||||
|
%post
|
||||||
|
%service_add_post nftables.service
|
||||||
|
|
||||||
|
%preun
|
||||||
|
%service_del_preun nftables.service
|
||||||
|
|
||||||
|
%postun
|
||||||
|
%service_del_postun nftables.service
|
||||||
|
|
||||||
%files
|
%files
|
||||||
%license COPYING
|
%license COPYING
|
||||||
%_sysconfdir/nftables/
|
%dir %_sysconfdir/nftables/
|
||||||
|
%_sysconfdir/nftables/osf/
|
||||||
%_sbindir/nft
|
%_sbindir/nft
|
||||||
%_mandir/man5/*.5*
|
%_mandir/man5/*.5*
|
||||||
%_mandir/man8/nft*
|
%_mandir/man8/nft*
|
||||||
%_docdir/%name/
|
%_docdir/%name/
|
||||||
|
%_unitdir/nftables.service
|
||||||
|
|
||||||
%files -n libnftables1
|
%files -n libnftables1
|
||||||
%_libdir/libnftables.so.1*
|
%_libdir/libnftables.so.1*
|
||||||
@@ -146,7 +161,7 @@ mv -v "$b/%_datadir/nftables"/*.nft "$b/%_docdir/%name/examples/"
|
|||||||
%_mandir/man3/*.3*
|
%_mandir/man3/*.3*
|
||||||
|
|
||||||
%files %{python_files nftables}
|
%files %{python_files nftables}
|
||||||
%{python_sitelib}/nftables
|
%python_sitelib/nftables
|
||||||
%{python_sitelib}/nftables-%{pyversion}.dist-info
|
%python_sitelib/nftables-%pyversion.dist-info
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
Reference in New Issue
Block a user