1313936 – RFE: systemd unit for nftables

Bug 1313936 - RFE: systemd unit for nftables

Summary: RFE: systemd unit for nftables

Keywords:
Status:	CLOSED RAWHIDE
Alias:	None
Product:	Fedora
Classification:	Fedora
Component:	nftables
Sub Component:
Version:	rawhide
Hardware:	Unspecified
OS:	Unspecified
Priority:	unspecified
Severity:	unspecified
Target Milestone:	---
Assignee:	Kevin Fenzi
QA Contact:	Fedora Extras Quality Assurance
Docs Contact:
URL:
Whiteboard:
Depends On:
Blocks:
TreeView+	depends on / blocked

Reported:	2016-03-02 16:11 UTC by Major Hayden 🤠
Modified:	2016-04-10 20:10 UTC (History)
CC List:	4 users (show)
Fixed In Version:
Doc Type:	Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed:	2016-04-10 20:10:48 UTC
Type:	Bug
Embargoed:
Dependent Products:

Attachments	(Terms of Use)

Description Major Hayden 🤠 2016-03-02 16:11:35 UTC

The nftables package works fine in Fedora 23, but there's no systemd service that I can use to load nftables tables/chains/rules at boot time.  The Arch folks have cobbled together some files to do this:

https://projects.archlinux.org/svntogit/packages.git/tree/trunk?h=packages/nftables

Would it be possible to get something like this into the nftables package?  Thanks!

Comment 1 Kevin Fenzi 2016-03-05 16:34:03 UTC

I've no objection, but has anyone asked them to submit those upstream? 

Also with the last release ~6months ago, perhaps it's time to nag them about another one.

Comment 2 Kevin Fenzi 2016-03-21 17:15:32 UTC

Sadly, upstream refuses to add systemd units. ;( 

I'll try and find some time soon to look at the debian and arch and suse ones and see which ones seem the best to base off of.

Comment 3 Kevin Fenzi 2016-03-25 19:22:10 UTC

ok. I have added a unit file to the last rawhide build. Should show up tomorrow. 

Let me know if you see any problems with it.

Comment 4 dac.override 2016-03-26 12:16:26 UTC

Thanks that is inspiring. I was/am using this (for nftables):

[Unit]
Description=nftables
Documentation=man:nftables(8)
Before=network.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/nft -I /etc/nftables -f /etc/nftables/ipv4
ExecStop=/usr/sbin/nft flush table ip filter
ExecStop=/usr/sbin/nft flush table ip nat
ExecStop=/usr/sbin/nft flush table ip mangle
ExecStop=/usr/sbin/nft delete table ip filter
ExecStop=/usr/sbin/nft delete table ip nat
ExecStop=/usr/sbin/nft delete table ip mangle

[Install]
WantedBy=network.target

And this for nf6tables:

[Unit]
Description=nf6tables
Documentation=man:nftables(8)
After=nftables.service
Before=network.target

[Service]
Type=oneshot
RemainAfterExit=yes
ExecStart=/usr/sbin/nft -I /etc/nftables -f /etc/nftables/ipv6
ExecStop=/usr/sbin/nft flush table ip6 filter
ExecStop=/usr/sbin/nft flush table ip6 nat
ExecStop=/usr/sbin/nft flush table ip6 mangle
ExecStop=/usr/sbin/nft delete table ip6 filter
ExecStop=/usr/sbin/nft delete table ip6 nat
ExecStop=/usr/sbin/nft delete table ip6 mangle

[Install]
WantedBy=network.target

Yours is much better (of course)

However yours is using /etc/nftables.conf. Does that actually exist?

Comment 5 Kevin Fenzi 2016-03-26 15:51:07 UTC

Oops. I forgot to include it. It can be just empty or have your rules in it. 

I meant to include one with a bunch of comments. Thinking about it, I wonder if it shouldn't be /etc/sysconfig/nftables and /etc/sysconfig/nftables-ipv6 to match the iptables setup. 

I also see I somehow typoed the Install line. ;( 

Will push a fixed package today... sorry about that.

Comment 6 Major Hayden 🤠 2016-03-28 13:34:48 UTC

Thanks, Kevin!  The new systemd unit works well!

Comment 7 Kevin Fenzi 2016-04-10 20:10:48 UTC

ok. I fixed the install typo, added a dummy nftables.conf file and moved it over to /etc/sysconfig/nftables.conf. 

Feedback welcome.

Note You need to log in before you can comment on or make changes to this bug.