I use Gentoo with OpenRC init system. While analyzing net-firewall/nftables-0.8-r3 files I've find, that it installs it's core skel files in /etc directory: /etc/nftables/bridge-filter /etc/nftables/arp-filter /etc/nftables/inet-filter /etc/nftables/ipv6-mangle /etc/nftables/ipv6-filter /etc/nftables/ipv6-raw /etc/nftables/ipv6-nat /etc/nftables/ipv4-raw /etc/nftables/ipv4-nat /etc/nftables/ipv4-mangle /etc/nftables/ipv4-filter In other, systemd-default distroes, proper examples are expected to be extended to real rule-set to be used by systemd unit to manage rules. But in Gentoo rules are saved automatically into NFTABLES_SAVE directory, configured in /etc/conf.d/nftables. So, I think it will me better to move these normally unused skels, in more relevant destionation, like /usr/share/doc/nftables-0.8-r3/skels/ directory.
The bug has been closed via the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=0ce0b829e5b2cb3439e9f82be9e2ea62e5b6f7bc commit 0ce0b829e5b2cb3439e9f82be9e2ea62e5b6f7bc Author: Matthew Thode <prometheanfire@gentoo.org> AuthorDate: 2018-11-19 18:35:18 +0000 Commit: Matthew Thode <prometheanfire@gentoo.org> CommitDate: 2018-11-19 18:35:35 +0000 net-firewall/nftables: move nft skels to doc Closes: https://bugs.gentoo.org/671254 Package-Manager: Portage-2.3.51, Repoman-2.3.12 Signed-off-by: Matthew Thode <prometheanfire@gentoo.org> net-firewall/nftables/nftables-0.9.0-r1.ebuild | 89 ++++++++++++++++++++++++++ 1 file changed, 89 insertions(+)
I tried to update nftables today. As a result of this "fix" from your side I wasted a lot of time figuring out where is the source of new problem. I was updating nftables from 0.8.5 to the latest 0.9.2-r1 verion. I have script which updates rules and it is dependent on the default rules which are inside /etc/nftables path usually and they were there for a long time before your intervention. Script has stopped to work as a result of your "fix": # bash nft.sh internal:0:0-0: Error: Could not open file "/etc/nftables/ipv4-filter.nft": No such file or directory internal:0:0-0: Error: Could not open file "/etc/nftables/ipv4-nat.nft": No such file or directory internal:0:0-0: Error: Could not open file "/etc/nftables/ipv6-filter.nft": No such file or directory Error: Could not process rule: No such file or directory ... And a lot of other errors there. I thought that it's developers of nftables has changed something and had to lose time searching in their codebase. Nope. Then I started to analyze Gentoo bugs one by one and found this bug eventually! What a smart guy you are, thank you very much! You moved default rulesets inside docs. Have you think about how to use them there? I tried to change strings like this one ${nft} -f /etc/nftables/ipv4-filter.nft; into this one: ${nft} -f - $(bzcat /usr/share/doc/nftables-0.9.2-r1/ipv4-filter.nft.bz2); But it still didn't help me: bash nft.sh /sbin/nft: invalid option -- '1' Error: Could not process rule: No such file or directory ... A LOT of errors there. And how am I supposed to USE the default rules from inside docs? Should I change scripts every time as a user from one version nftables-0.9.2-r1 into another nftables-0.9.2-r2? No, I decided that this is a user nightmare and fixed it in ebuild. Here is my overlay with the fix of your "fix" by reverting invalid changes inside Makefile.am: https://github.com/cerebrum/dr/blob/master/net-firewall/nftables/nftables-0.9.2-r2.ebuild#L65 It may help other users too. REVERT THIS "UNUSED" "FIX" BACK!!! AND NEXT TIME THINK TWICE ABOUT A USER BEFORE MAKING SUCH DESTRUCTIVE CHANGES! Thank you.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=30b3fa9d29308ecbd09b30a8357adeeb2768ca22 commit 30b3fa9d29308ecbd09b30a8357adeeb2768ca22 Author: Francisco Blas (klondike) Izquierdo Riera <klondike@gentoo.org> AuthorDate: 2019-12-03 01:36:40 +0000 Commit: Matthew Thode <prometheanfire@gentoo.org> CommitDate: 2019-12-03 16:10:21 +0000 net-firewall/nftables: Move skel files Currently the ebuild installs the skeleton files directly into the ebuild's doc directory. In 0.9.0-r5 the intention was installing them into a skels folder (although this was not done correctly). Replace the sed rules so that the skeleton files are installed into the skel folder. This will be cleaner if for some reason nftables adds further documentation on the future. It is also easier to perform this change now than once we stabilize. Bug: https://bugs.gentoo.org/671254 Signed-off-by: Francisco Blas Izquierdo Riera (klondike) <klondike@gentoo.org> Package-Manager: Portage-2.3.76, Repoman-2.3.11 Signed-off-by: Matthew Thode <prometheanfire@gentoo.org> net-firewall/nftables/nftables-0.9.0-r6.ebuild | 103 +++++++++++++++++++++ ...es-0.9.1-r1.ebuild => nftables-0.9.1-r2.ebuild} | 4 +- ...es-0.9.2-r1.ebuild => nftables-0.9.2-r2.ebuild} | 4 +- 3 files changed, 107 insertions(+), 4 deletions(-)
This is not doc files. It is default rulesets. Get lost with your useless changes, please. Thank you.
For those who need default rulesets to work: https://github.com/cerebrum/dr/commit/6db519f6a4074c631db1b1e3c69f135529831f62#diff-fbb119691455ac68a1d4f60d50c2ae57
(In reply to diamond from comment #4) > This is not doc files. It is default rulesets. Get lost with your useless > changes, please. Thank you. Could you show me, how I can use these «default rulesets» in Gentoo default (OpenRC init system) installation? P.S. I know hot it is expected to work in upstream-default environment.
https://wiki.gentoo.org/wiki/Nftables#Management https://wiki.gentoo.org/wiki/Nftables/Examples#Stateful_router_example ${nft} -f /etc/nftables/ipv4-filter.nft; ${nft} -f /etc/nftables/ipv4-nat.nft; ${nft} -f /etc/nftables/ipv6-filter.nft; I use OpenRC without any systemd stuff.
