| Summary: | net-firewall/nftables doesn't provide systemd service file | ||
|---|---|---|---|
| Product: | Gentoo Linux | Reporter: | Simon Siemonsma <simon> |
| Component: | [OLD] Core system | Assignee: | nvinson234 |
| Status: | RESOLVED TEST-REQUEST | ||
| Severity: | normal | CC: | base-system, proxy-maint, systemd |
| Priority: | Normal | Keywords: | NeedPatch |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | |||
| Bug Blocks: | 448882 | ||
| Attachments: |
Refactor /etc/init.d/nftables into a proper shell script
Updates /etc/init.d/nftables to use the new nftables.sh shell script The new systemd unit files nftables-0.5-r2.ebuild |
||
|
Description
Simon Siemonsma
2015-02-15 20:52:54 UTC
An example service file and some glue utility: https://github.com/devkid/nftables-systemd A bug where it is requested to include this upstream: https://bugzilla.netfilter.org/show_bug.cgi?id=907 Nope, this doesn't fit. See how we're doing iptables -- there's separate iptables-store and iptables-restore. You aren't really supposed to 'start' and 'stop' something that isn't a daemon. Besides, creating nftablesctl which is pretty much '/etc/init.d/nftables renamed' is a really bad idea. *ctl tools tend to give some configuration/control, not wrap init.d. Lastly, I hate the complexity of the script. nftables should provide a simple way of storing and restoring all the rules, without the need to hardcode protocols or employ awk. In most cases a nft list ruleset > saved_ruleset should suffice in order to load the saved ruleset with nft -f saved_ruleset When some rules already exist, a nft flush ruleset or a flush ruleset in the file above before any rules maybe needed. It comes down to this; Once you have a set of scripts that are effective at runtime, declare it here. Don't be overly concerned about expressions of hate of your scripts' level or complexity or style, that has inly limited place in the overall scheme of generating working scripts. Personal preferences particularly in the field of style is highly arbitrary at the best of times. Either submit working full scripts of diffs for the ebuild in the bug here, or supply a full git patch which can be cherry picked from your repo, once you have a working final state. Created attachment 415972 [details, diff]
Refactor /etc/init.d/nftables into a proper shell script
Prep work for adding systemd unit files. This change ensures that common functionality is easily accessible by both Systemd and OpenRC without having to maintain multiple copies.
Created attachment 415974 [details, diff]
Updates /etc/init.d/nftables to use the new nftables.sh shell script
Created attachment 415976 [details, diff]
The new systemd unit files
These are the new systemd unit files. They're actually (very lightly) modified versions of the iptables systemd unit files.
Created attachment 415978 [details, diff]
nftables-0.5-r2.ebuild
commit 37bdeb0c57ba3978658d2b4373a5e2958f0ca5a6 Author: Nicholas Vinson <nvinson234@gmail.com> Date: Tue Nov 3 01:10:22 2015 -0500 net-firewall/nftables: revbump to nftables-0.5-r2 Required for supporting systemd commit 82337cf9c4e23a9b0723916e65927bb3e48b685e Author: Nicholas Vinson <nvinson234@gmail.com> Date: Tue Nov 3 01:07:43 2015 -0500 net-firewall/nftables: Create systemd unit files commit bbee7c12baa2b1d85c23f83f2ec18ac535179f43 Author: Nicholas Vinson <nvinson234@gmail.com> Date: Tue Nov 3 01:00:22 2015 -0500 net-firewall/nftables: update nftables.init to use new libexec/nftables.sh commit 191595ea91dcf927d53e4dcd6a8384cdd30267a7 Author: Nicholas Vinson <nvinson234@gmail.com> Date: Tue Nov 3 00:51:19 2015 -0500 net-firewall/nftables: refactor init.d/nftables into libexec/nftable.sh |
