Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 540198 - net-firewall/nftables doesn't provide systemd service file
Summary: net-firewall/nftables doesn't provide systemd service file
Status: RESOLVED TEST-REQUEST
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Core system (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: nvinson234
URL:
Whiteboard:
Keywords: NeedPatch
Depends on:
Blocks: install-systemd-unit
  Show dependency tree
 
Reported: 2015-02-15 20:52 UTC by Simon Siemonsma
Modified: 2015-11-03 07:34 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Refactor /etc/init.d/nftables into a proper shell script (0001-refactor-init.d-nftables-into-libexec-nftable.sh.patch,4.39 KB, patch)
2015-11-03 04:04 UTC, nvinson234
Details | Diff
Updates /etc/init.d/nftables to use the new nftables.sh shell script (0002-Update-nftables.init-to-use-nftables.sh.patch,3.76 KB, patch)
2015-11-03 04:04 UTC, nvinson234
Details | Diff
The new systemd unit files (0003-Create-systemd-unit-files.patch,2.30 KB, patch)
2015-11-03 04:07 UTC, nvinson234
Details | Diff
nftables-0.5-r2.ebuild (0004-Update-ebuild-to-add-systemd-support.patch,2.07 KB, patch)
2015-11-03 04:07 UTC, nvinson234
Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Simon Siemonsma 2015-02-15 20:52:54 UTC
nftables 0.4 doesn't provide a systemd service file.

Reproducible: Always
Comment 1 Simon Siemonsma 2015-02-26 15:31:59 UTC
An example service file and some glue utility: https://github.com/devkid/nftables-systemd
A bug where it is requested to include this upstream: https://bugzilla.netfilter.org/show_bug.cgi?id=907
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2015-02-26 16:35:09 UTC
Nope, this doesn't fit. See how we're doing iptables -- there's separate iptables-store and iptables-restore. You aren't really supposed to 'start' and 'stop' something that isn't a daemon.

Besides, creating nftablesctl which is pretty much '/etc/init.d/nftables renamed' is a really bad idea. *ctl tools tend to give some configuration/control, not wrap init.d.

Lastly, I hate the complexity of the script. nftables should provide a simple way of storing and restoring all the rules, without the need to hardcode protocols or employ awk.
Comment 3 Vladimir Datsevich 2015-09-17 19:22:43 UTC
In most cases a 

nft list ruleset > saved_ruleset

should suffice in order to load the saved ruleset with

nft -f saved_ruleset


When some rules already exist, a

nft flush ruleset

or a

flush ruleset

in the file above before any rules maybe needed.
Comment 4 Ian Delaney (RETIRED) gentoo-dev 2015-11-01 12:52:36 UTC
It comes down to this; Once you have a set of scripts that are effective at runtime, declare it here. Don't be overly concerned about expressions of hate of your scripts' level or complexity or style, that has inly limited place in the overall scheme of generating working scripts. Personal preferences particularly in the field of style is highly arbitrary at the best of times.

Either submit working full scripts of diffs for the ebuild in the bug here, or supply a full git patch which can be cherry picked from your repo, once you have a working final state.
Comment 5 nvinson234 2015-11-03 04:04:04 UTC
Created attachment 415972 [details, diff]
Refactor /etc/init.d/nftables into a proper shell script

Prep work for adding systemd unit files.  This change ensures that common functionality is easily accessible by both Systemd and OpenRC without having to maintain multiple copies.
Comment 6 nvinson234 2015-11-03 04:04:59 UTC
Created attachment 415974 [details, diff]
Updates /etc/init.d/nftables to use the new nftables.sh shell script
Comment 7 nvinson234 2015-11-03 04:07:01 UTC
Created attachment 415976 [details, diff]
The new systemd unit files

These are the new systemd unit files.  They're actually (very lightly) modified versions of the iptables systemd unit files.
Comment 8 nvinson234 2015-11-03 04:07:40 UTC
Created attachment 415978 [details, diff]
nftables-0.5-r2.ebuild
Comment 9 Ian Delaney (RETIRED) gentoo-dev 2015-11-03 07:34:32 UTC
commit 37bdeb0c57ba3978658d2b4373a5e2958f0ca5a6
Author: Nicholas Vinson <nvinson234@gmail.com>
Date:   Tue Nov 3 01:10:22 2015 -0500

    net-firewall/nftables: revbump to nftables-0.5-r2
    
    Required for supporting systemd
    

commit 82337cf9c4e23a9b0723916e65927bb3e48b685e
Author: Nicholas Vinson <nvinson234@gmail.com>
Date:   Tue Nov 3 01:07:43 2015 -0500

    net-firewall/nftables: Create systemd unit files
    

commit bbee7c12baa2b1d85c23f83f2ec18ac535179f43
Author: Nicholas Vinson <nvinson234@gmail.com>
Date:   Tue Nov 3 01:00:22 2015 -0500

    net-firewall/nftables: update nftables.init to use new libexec/nftables.sh
    

commit 191595ea91dcf927d53e4dcd6a8384cdd30267a7
Author: Nicholas Vinson <nvinson234@gmail.com>
Date:   Tue Nov 3 00:51:19 2015 -0500

    net-firewall/nftables: refactor init.d/nftables into libexec/nftable.sh