Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 676290

Summary: net-firewall/nftables force-ably enables nftables-restore.service
Product: Gentoo Linux Reporter: Mike Gilbert <floppym>
Component: Current packagesAssignee: Gentoo's Team for Core System packages <base-system>
Status: RESOLVED FIXED    
Severity: normal CC: klondike, prometheanfire, systemd
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard:
Package list:
Runtime testing required: ---

Description Mike Gilbert gentoo-dev 2019-01-26 17:22:54 UTC 
Every time I boot, I get this error:

nftables.sh[633]: /dev/stdin:1:1-14: Error: Could not process rule: Operation not supported
systemd[1]: nftables-restore.service: Main process exited, code=exited, status=1/FAILURE
systemd[1]: nftables-restore.service: Failed with result 'exit-code'.
systemd[1]: Failed to start Store and restore nftables firewall rules.

I never enabled nftables-restore.service, so it should not be running in the first place.

The ebuild does this:

> systemd_enable_service basic.target ${PN}-restore.service

This creates a symlink in /lib/systemd/system/basic.target.wants/. It is not possible for the sysadmin to disable this unless they mask the unit.

This systemd_enable_service call should be removed from the nftables ebuild. Possibly a pkg_postinst message or a news item should be created to warn users to enable the service themselves.

In fact, the function should be removed from the eclass altogether; I can't think of an appropriate use for it.
Comment 1 Francisco Blas Izquierdo Riera (RETIRED) gentoo-dev 2019-01-28 15:05:34 UTC 
To be sincere systemd is way out of my paygrade and that call was there when I first wrote the modern kernel patchset. Maybe prometheanfire knows why is it there.
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2019-01-28 15:24:39 UTC 
Ya, I'm not sure why.  predates me.  Fixed though.
Comment 3 Larry the Git Cow gentoo-dev 2019-01-28 15:24:57 UTC 
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1b4128863073b653d7060c4c12559d8c6061abcf

commit 1b4128863073b653d7060c4c12559d8c6061abcf
Author:     Matthew Thode <prometheanfire@gentoo.org>
AuthorDate: 2019-01-28 15:24:06 +0000
Commit:     Matthew Thode <prometheanfire@gentoo.org>
CommitDate: 2019-01-28 15:24:11 +0000

    net-firewall/nftables: don't enable service by default
    
    Fixes: https://bugs.gentoo.org/676290
    
    Package-Manager: Portage-2.3.51, Repoman-2.3.12
    Signed-off-by: Matthew Thode <prometheanfire@gentoo.org>

 net-firewall/nftables/nftables-0.9.0-r4.ebuild | 97 ++++++++++++++++++++++++++
 1 file changed, 97 insertions(+)