Bug 1313936

Summary:	RFE: systemd unit for nftables
Product:	[Fedora] Fedora	Reporter:	Major Hayden 🤠 <mhayden>
Component:	nftables	Assignee:	Kevin Fenzi <kevin>
Status:	CLOSED RAWHIDE	QA Contact:	Fedora Extras Quality Assurance <extras-qa>
Severity:	unspecified	Docs Contact:
Priority:	unspecified
Version:	rawhide	CC:	dac.override, jpopelka, kevin, twoerner
Target Milestone:	---	Keywords:	Reopened
Target Release:	---
Hardware:	Unspecified
OS:	Unspecified
Whiteboard:
Fixed In Version:		Doc Type:	Bug Fix
Doc Text:		Story Points:	---
Clone Of:		Environment:
Last Closed:	2016-04-10 20:10:48 UTC	Type:	Bug
Regression:	---	Mount Type:	---
Documentation:	---	CRM:
Verified Versions:		Category:	---
oVirt Team:	---	RHEL 7.3 requirements from Atomic Host:
Cloudforms Team:	---	Target Upstream Version:

Description Major Hayden 🤠 2016-03-02 16:11:35 UTC

The nftables package works fine in Fedora 23, but there's no systemd service that I can use to load nftables tables/chains/rules at boot time.  The Arch folks have cobbled together some files to do this:

https://projects.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/nftables

Would it be possible to get something like this into the nftables package?  Thanks!

Comment 1 Kevin Fenzi 2016-03-05 16:34:03 UTC

I've no objection, but has anyone asked them to submit those upstream? 

Also with the last release ~6months ago, perhaps it's time to nag them about another one.

Comment 2 Kevin Fenzi 2016-03-21 17:15:32 UTC

Sadly, upstream refuses to add systemd units. ;( 

I'll try and find some time soon to look at the debian and arch and suse ones and see which ones seem the best to base off of.

Comment 3 Kevin Fenzi 2016-03-25 19:22:10 UTC

ok. I have added a unit file to the last rawhide build. Should show up tomorrow. 

Let me know if you see any problems with it.

Comment 4 dac.override 2016-03-26 12:16:26 UTC

Thanks that is inspiring. I was/am using this (for nftables):

[Unit]
Description=nftables
Documentation=man:nftables(8)
Before=network.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/nft -I /etc/nftables -f /etc/nftables/ipv4
ExecStop=/usr/sbin/nft flush table ip filter
ExecStop=/usr/sbin/nft flush table ip nat
ExecStop=/usr/sbin/nft flush table ip mangle
ExecStop=/usr/sbin/nft delete table ip filter
ExecStop=/usr/sbin/nft delete table ip nat
ExecStop=/usr/sbin/nft delete table ip mangle

[Install]
WantedBy=network.target

And this for nf6tables:

[Unit]
Description=nf6tables
Documentation=man:nftables(8)
After=nftables.service
Before=network.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/nft -I /etc/nftables -f /etc/nftables/ipv6
ExecStop=/usr/sbin/nft flush table ip6 filter
ExecStop=/usr/sbin/nft flush table ip6 nat
ExecStop=/usr/sbin/nft flush table ip6 mangle
ExecStop=/usr/sbin/nft delete table ip6 filter
ExecStop=/usr/sbin/nft delete table ip6 nat
ExecStop=/usr/sbin/nft delete table ip6 mangle

[Install]
WantedBy=network.target

Yours is much better (of course)

However yours is using /etc/nftables.conf. Does that actually exist?

Comment 5 Kevin Fenzi 2016-03-26 15:51:07 UTC

Oops. I forgot to include it. It can be just empty or have your rules in it. 

I meant to include one with a bunch of comments. Thinking about it, I wonder if it shouldn't be /etc/sysconfig/nftables and /etc/sysconfig/nftables-ipv6 to match the iptables setup. 

I also see I somehow typoed the Install line. ;( 

Will push a fixed package today... sorry about that.

Comment 6 Major Hayden 🤠 2016-03-28 13:34:48 UTC

Thanks, Kevin!  The new systemd unit works well!

Comment 7 Kevin Fenzi 2016-04-10 20:10:48 UTC

ok. I fixed the install typo, added a dummy nftables.conf file and moved it over to /etc/sysconfig/nftables.conf. 

Feedback welcome.