Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 634804 - net-firewall/nftables: systemd unit is retarded and does not follow the usual rules for systemd
Summary: net-firewall/nftables: systemd unit is retarded and does not follow the usual...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Linux
Classification: Unclassified
Component: Current packages (show other bugs)
Hardware: All Linux
: Normal critical (vote)
Assignee: Gentoo's Team for Core System packages
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2017-10-19 17:41 UTC by Michał Górny
Modified: 2017-10-25 13:34 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2017-10-19 17:41:24 UTC
* In order for the nftables-restore systemd service to start, 
 * the file, /var/lib/nftables/rules-save, must exist.  To create this 
 * file run the following command: 
 * 
 * 	touch '/var/lib/nftables/rules-save'
 * 
 * Afterwards, the nftables-restore service should be manually started 
 * to ensure firewall changes are stored on system shutdown.  The 
 * systemd service will function normally thereafter.


This is so retarded, it makes me angry to see it. This is *NOT* how we do systemd units, and it looks like some sick attempt to port OpenRC retardation into systemd world while making it look seemingly correct albeit completely retarded. Retarded, retarded, retarded, ARGV!

Now, seriously speaking:

1. Requiring user to take manual action to make a retarded unit file work is *unacceptable*.

2. Restore unit is *NOT* supposed to save stuff. That's why it's called 'restore'. The unit saving stuff is supposed to be separate and called -- wait for it... -- 'store'!

For comparison, see iptables.
Comment 1 Mike Gilbert gentoo-dev 2017-10-19 19:55:35 UTC
It looks like this package was proxy maintained for a while, and this systemd setup probably originates from that.

I agree that it would be ideal to have iptables and nftables work more similarly.
Comment 2 Matthew Thode ( prometheanfire ) archtester Gentoo Infrastructure gentoo-dev Security 2017-10-25 13:34:25 UTC
fixed via touching the file if it doesn't exist in pkg_postinst