From: Jan Engelhardt Date: Thu, 17 Apr 2025 14:48:33 +0000 (+0200) Subject: tools: add a systemd unit for static rulesets X-Git-Tag: v1.1.5~11 X-Git-Url: http://git.ipfire.org/?a=commitdiff_plain;h=c4b17cf8305108f91d8e63880317a59e8e806c80;p=thirdparty%2Fnftables.git tools: add a systemd unit for static rulesets There is a customer request (bugreport) for wanting to trivially load a ruleset from a well-known location on boot, forwarded to me by M. Gerstner. A systemd service unit is hereby added to provide that functionality. This is based on various distributions attempting to do same, for example, https://src.fedoraproject.org/rpms/nftables/tree/rawhide https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/nftables/nftables.initd https://gitlab.archlinux.org/archlinux/packaging/packages/nftables Acked-by: Eric Garver Signed-off-by: Pablo Neira Ayuso --- diff --git a/INSTALL b/INSTALL index 5d45ec988..0c48c9895 100644 --- a/INSTALL +++ b/INSTALL @@ -42,6 +42,12 @@ Installation instructions for nftables The base directory for arch-independent files. Defaults to $prefix/share. + --with-unitdir= + + Directory for systemd unit files. Defaults to the value obtained from + pkg-config for systemd.pc, and ${prefix}/lib/systemd/system as a + fallback. + --disable-debug Disable debugging diff --git a/Makefile.am b/Makefile.am index b5580b545..4909abfee 100644 --- a/Makefile.am +++ b/Makefile.am @@ -377,18 +377,19 @@ dist_pkgdata_DATA = \ files/nftables/netdev-ingress.nft \ $(NULL) -pkgdocdir = ${docdir}/examples +exampledir = ${docdir}/examples -dist_pkgdoc_SCRIPTS = \ +dist_example_SCRIPTS = \ files/examples/ct_helpers.nft \ files/examples/load_balancing.nft \ files/examples/secmark.nft \ files/examples/sets_and_maps.nft \ $(NULL) -pkgsysconfdir = ${sysconfdir}/nftables/osf +pkgsysconfdir = ${sysconfdir}/${PACKAGE} +osfdir = ${pkgsysconfdir}/osf -dist_pkgsysconf_DATA = \ +dist_osf_DATA = \ files/osf/pf.os \ $(NULL) @@ -412,3 +413,10 @@ EXTRA_DIST += \ pkgconfigdir = $(libdir)/pkgconfig pkgconfig_DATA = libnftables.pc +unit_DATA = tools/nftables.service +man_MANS = tools/nftables.service.8 +doc_DATA = files/nftables/main.nft + +tools/nftables.service: tools/nftables.service.in ${top_builddir}/config.status + ${AM_V_GEN}${MKDIR_P} tools + ${AM_V_at}sed -e 's|@''sbindir''@|${sbindir}|g;s|@''pkgsysconfdir''@|${pkgsysconfdir}|g' <${srcdir}/tools/nftables.service.in >$@ diff --git a/configure.ac b/configure.ac index 550913ef0..626c641b0 100644 --- a/configure.ac +++ b/configure.ac @@ -114,6 +114,16 @@ AC_CHECK_DECLS([getprotobyname_r, getprotobynumber_r, getservbyport_r], [], [], #include ]]) +AC_ARG_WITH([unitdir], + [AS_HELP_STRING([--with-unitdir=PATH], [Path to systemd service unit directory])], + [unitdir="$withval"], + [ + unitdir=$("$PKG_CONFIG" systemd --variable systemdsystemunitdir 2>/dev/null) + AS_IF([test -z "$unitdir"], [unitdir='${prefix}/lib/systemd/system']) + ]) +AC_SUBST([unitdir]) + + AC_CONFIG_FILES([ \ Makefile \ libnftables.pc \ @@ -127,4 +137,5 @@ nft configuration: use mini-gmp: ${with_mini_gmp} enable man page: ${enable_man_doc} libxtables support: ${with_xtables} - json output support: ${with_json}" + json output support: ${with_json} + systemd unit: ${unitdir}" diff --git a/files/nftables/main.nft b/files/nftables/main.nft new file mode 100644 index 000000000..d3171fd34 --- /dev/null +++ b/files/nftables/main.nft @@ -0,0 +1,22 @@ +#!/usr/sbin/nft -f + +# template static firewall configuration file +# +# copy this over to /etc/nftables/rules/main.nft as a starting point for +# configuring a rule set which will be loaded by nftables.service. + +table inet filter { + chain input { + type filter hook input priority filter; + } + chain forward { + type filter hook forward priority filter; + } + chain output { + type filter hook output priority filter; + } +} + +# this can be used to split the rule set into multiple smaller files concerned +# with specific topics, like forwarding rules +#include "/etc/nftables/rules/forwarding.nft" diff --git a/tools/nftables.service.8 b/tools/nftables.service.8 new file mode 100644 index 000000000..bb88dc46f --- /dev/null +++ b/tools/nftables.service.8 @@ -0,0 +1,17 @@ +.TH nftables.service 8 "" "nftables" "nftables admin reference" +.SH Name +nftables.service \(em Static Firewall Configuration with nftables.service +.SH Description +An nftables systemd service is provided which allows to setup static firewall +rulesets based on a configuration file. +.PP +To use this service, you need to create the main configuration file in +/etc/nftables/rules/main.nft. A template for this can be copied from +/usr/share/doc/nftables/main.nft. Alternatively, `nft list ruleset >main.nft` +could be used to save the active configuration (if any) to the file. +.PP +Once the desired static firewall configuration is in place, it can be tested by +running `systemctl start nftables.service`. To enable the service at boot time, +run `systemctl enable nftables.service`. +.SH See also +\fBnft\fP(8) diff --git a/tools/nftables.service.in b/tools/nftables.service.in new file mode 100644 index 000000000..2ac7e6fd0 --- /dev/null +++ b/tools/nftables.service.in @@ -0,0 +1,21 @@ +[Unit] +Description=nftables static rule set +Documentation=man:nftables.service(8) +Wants=network-pre.target +Before=network-pre.target shutdown.target +Conflicts=shutdown.target +DefaultDependencies=no +ConditionPathExists=@pkgsysconfdir@/rules/main.nft + +[Service] +Type=oneshot +RemainAfterExit=yes +StandardInput=null +ProtectSystem=full +ProtectHome=true +ExecStart=@sbindir@/nft 'flush ruleset; include "@pkgsysconfdir@/rules/main.nft"' +ExecReload=@sbindir@/nft 'flush ruleset; include "@pkgsysconfdir@/rules/main.nft"' +ExecStop=@sbindir@/nft flush ruleset + +[Install] +WantedBy=sysinit.target