Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package nftables for openSUSE:Factory checked in at 2025-03-06 14:47:56 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/nftables (Old) and /work/SRC/openSUSE:Factory/.nftables.new.19136 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "nftables" Thu Mar 6 14:47:56 2025 rev:36 rq:1249988 version:1.1.1 Changes: -------- --- /work/SRC/openSUSE:Factory/nftables/nftables.changes 2024-11-03 07:17:39.880084944 +0100 +++ /work/SRC/openSUSE:Factory/.nftables.new.19136/nftables.changes 2025-03-06 14:47:58.203530702 +0100 @@ -1,0 +2,6 @@ +Tue Mar 4 08:01:21 UTC 2025 - Jan Engelhardt <jeng...@inai.de> + +- Add 0001-tools-add-a-systemd-unit-for-static-rulesets.patch + [boo#1237277] + +------------------------------------------------------------------- New: ---- 0001-tools-add-a-systemd-unit-for-static-rulesets.patch BETA DEBUG BEGIN: New: - Add 0001-tools-add-a-systemd-unit-for-static-rulesets.patch [boo#1237277] BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ nftables.spec ++++++ --- /var/tmp/diff_new_pack.61MXJN/_old 2025-03-06 14:47:58.971562910 +0100 +++ /var/tmp/diff_new_pack.61MXJN/_new 2025-03-06 14:47:58.975563078 +0100 @@ -1,7 +1,7 @@ # # spec file for package nftables # -# Copyright (c) 2024 SUSE LLC +# Copyright (c) 2025 SUSE LLC # # All modifications and additions to the file contributed by third parties # remain the property of their copyright owners, unless otherwise agreed @@ -33,6 +33,7 @@ Source2: http://ftp.netfilter.org/pub/%name/%name-%version.tar.xz.sig Source3: %name.keyring Source4: nftables.rpmlintrc +Patch1: 0001-tools-add-a-systemd-unit-for-static-rulesets.patch BuildRequires: %{python_module pip} BuildRequires: %{python_module setuptools} BuildRequires: %{python_module wheel} @@ -102,37 +103,51 @@ ln -s "%_bindir/docbook-to-man" bin/docbook2x-man export PATH="$PATH:$PWD/bin" mkdir obj -pushd obj/ +cd obj/ %define _configure ../configure %configure --disable-silent-rules --disable-static --docdir="%_docdir/%name" \ --includedir="%_includedir/%name" --with-json \ --enable-python --with-python-bin="$(which python3)" %make_build -popd -pushd py +cd - +cd py %pyproject_wheel -popd +cd - %install b="%buildroot" %make_install -C obj -pushd py +perl -i -lpe 's{^(Conflicts=.*)}{$1 firewalld.service}' "$b/%_unitdir/nftables.service" +cd py %pyproject_install %python_expand %fdupes %buildroot/%{$python_sitelib} -popd rm -f "%buildroot/%_libdir"/*.la mkdir -p "$b/%_docdir/%name/examples" mv -v "$b/%_datadir/nftables"/*.nft "$b/%_docdir/%name/examples/" %ldconfig_scriptlets -n libnftables1 +%pre +%service_add_pre nftables.service + +%post +%service_add_post nftables.service + +%preun +%service_del_preun nftables.service + +%postun +%service_del_postun nftables.service + %files %license COPYING -%_sysconfdir/nftables/ +%dir %_sysconfdir/nftables/ +%_sysconfdir/nftables/osf/ %_sbindir/nft %_mandir/man5/*.5* %_mandir/man8/nft* %_docdir/%name/ +%_unitdir/nftables.service %files -n libnftables1 %_libdir/libnftables.so.1* ++++++ 0001-tools-add-a-systemd-unit-for-static-rulesets.patch ++++++ >From f08b34c9cba43879259c0b095c50efd3e6e66250 Mon Sep 17 00:00:00 2001 From: Jan Engelhardt <jeng...@inai.de> Date: Fri, 28 Feb 2025 19:45:01 +0100 Subject: [PATCH] tools: add a systemd unit for static rulesets References: https://lore.kernel.org/netfilter-devel/20250228205935.59659-1-jeng...@inai.de/T/#u (v1) Notes-v2: the Documentation= line needed a "man:" infix There is a customer request (bugreport) for wanting to trivially load a ruleset from a well-known location on boot, forwarded to me by M. Gerstner. A systemd service unit is hereby added to provide that functionality. This is based on various distributions attempting to do same, cf. https://src.fedoraproject.org/rpms/nftables/tree/rawhide https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/nftables/nftables.initd https://gitlab.archlinux.org/archlinux/packaging/packages/nftables Cc: Matthias Gerstner <matthias.gerst...@suse.com> --- .gitignore | 1 + Makefile.am | 16 ++++++++++++---- configure.ac | 10 ++++++++++ files/nftables/main.nft | 24 ++++++++++++++++++++++++ tools/nftables.service.8 | 18 ++++++++++++++++++ tools/nftables.service.in | 21 +++++++++++++++++++++ 6 files changed, 86 insertions(+), 4 deletions(-) create mode 100644 files/nftables/main.nft create mode 100644 tools/nftables.service.8 create mode 100644 tools/nftables.service.in diff --git a/Makefile.am b/Makefile.am index fb64105d..050991f4 100644 --- a/Makefile.am +++ b/Makefile.am @@ -375,18 +375,19 @@ dist_pkgdata_DATA = \ files/nftables/netdev-ingress.nft \ $(NULL) -pkgdocdir = ${docdir}/examples +exampledir = ${docdir}/examples -dist_pkgdoc_SCRIPTS = \ +dist_example_SCRIPTS = \ files/examples/ct_helpers.nft \ files/examples/load_balancing.nft \ files/examples/secmark.nft \ files/examples/sets_and_maps.nft \ $(NULL) -pkgsysconfdir = ${sysconfdir}/nftables/osf +pkgsysconfdir = ${sysconfdir}/${PACKAGE} +osfdir = ${pkgsysconfdir}/osf -dist_pkgsysconf_DATA = \ +dist_osf_DATA = \ files/osf/pf.os \ $(NULL) @@ -410,3 +411,10 @@ EXTRA_DIST += \ pkgconfigdir = $(libdir)/pkgconfig pkgconfig_DATA = libnftables.pc +unit_DATA = tools/nftables.service +man_MANS = tools/nftables.service.8 +doc_DATA = files/nftables/main.nft + +tools/nftables.service: tools/nftables.service.in ${top_builddir}/config.status + ${AM_V_GEN}${MKDIR_P} tools + ${AM_V_at}sed -e 's|@''sbindir''@|${sbindir}|g;s|@''pkgsysconfdir''@|${pkgsysconfdir}|g' <${srcdir}/tools/nftables.service.in >$@ diff --git a/configure.ac b/configure.ac index 80a64813..64a164e5 100644 --- a/configure.ac +++ b/configure.ac @@ -114,6 +114,16 @@ AC_CHECK_DECLS([getprotobyname_r, getprotobynumber_r, getservbyport_r], [], [], #include <netdb.h> ]]) +AC_ARG_WITH([unitdir], + [AS_HELP_STRING([--with-unitdir=PATH], [Path to systemd service unit directory])], + [unitdir="$withval"], + [ + unitdir=$("$PKG_CONFIG" systemd --variable systemdsystemunitdir 2>/dev/null) + AS_IF([test -z "$unitdir"], [unitdir='${prefix}/lib/systemd/system']) + ]) +AC_SUBST([unitdir]) + + AC_CONFIG_FILES([ \ Makefile \ libnftables.pc \ diff --git a/files/nftables/main.nft b/files/nftables/main.nft new file mode 100644 index 00000000..8e62f9bc --- /dev/null +++ b/files/nftables/main.nft @@ -0,0 +1,24 @@ +#!/usr/sbin/nft -f + +# template static firewall configuration file +# +# copy this over to /etc/nftables/rules/main.nft as a starting point for +# configuring a rule set which will be loaded by nftables.service. + +flush ruleset + +table inet filter { + chain input { + type filter hook input priority filter; + } + chain forward { + type filter hook forward priority filter; + } + chain output { + type filter hook output priority filter; + } +} + +# this can be used to split the rule set into multiple smaller files concerned +# with specific topics, like forwarding rules +#include "/etc/nftables/rules/forwarding.nft" diff --git a/tools/nftables.service.8 b/tools/nftables.service.8 new file mode 100644 index 00000000..4a83b01c --- /dev/null +++ b/tools/nftables.service.8 @@ -0,0 +1,18 @@ +.TH nftables.service 8 "" "nftables" "nftables admin reference" +.SH Name +nftables.service \(em Static Firewall Configuration with nftables.service +.SH Description +An nftables systemd service is provided which allows to setup static firewall +rulesets based on a configuration file. +.PP +To use this service, you need to create the main configuration file in +/etc/nftables/rules/main.nft. A template for this can be copied from +/usr/share/doc/nftables/main.nft. The static firewall configuration can be +split up into multiple files which are included from the main.nft +configuration file. +.PP +Once the desired static firewall configuration is in place, it can be tested by +running `systemctl start nftables.service`. To enable the service at boot time, +run `systemctl enable nftables.service`. +.SH See also +\fBnft\fP(8) diff --git a/tools/nftables.service.in b/tools/nftables.service.in new file mode 100644 index 00000000..f2f07126 --- /dev/null +++ b/tools/nftables.service.in @@ -0,0 +1,21 @@ +[Unit] +Description=nftables static rule set +Documentation=man:nftables.service(8) +Wants=network-pre.target +Before=network-pre.target shutdown.target +Conflicts=shutdown.target +DefaultDependencies=no +ConditionPathExists=@pkgsysconfdir@/rules/main.nft + +[Service] +Type=oneshot +RemainAfterExit=yes +StandardInput=null +ProtectSystem=full +ProtectHome=true +ExecStart=@sbindir@/nft -f @pkgsysconfdir@/rules/main.nft +ExecReload=@sbindir@/nft -f @pkgsysconfdir@/rules/main.nft +ExecStop=@sbindir@/nft flush ruleset + +[Install] +WantedBy=sysinit.target -- 2.48.1 ++++++ _scmsync.obsinfo ++++++ --- /var/tmp/diff_new_pack.61MXJN/_old 2025-03-06 14:47:59.031565426 +0100 +++ /var/tmp/diff_new_pack.61MXJN/_new 2025-03-06 14:47:59.035565594 +0100 @@ -1,5 +1,5 @@ -mtime: 1727939012 -commit: 554c6b6a3ce96010af8c533855d96945c8fd8d9fff4d3cbf12956b82a08de423 +mtime: 1741076198 +commit: ee8a28dc131845f920b4df0dd83d58a91668d26f3166c5d998ca68c64fa7d748 url: https://src.opensuse.org/jengelh/nftables revision: master ++++++ build.specials.obscpio ++++++ diff: old/*: No such file or directory diff: new/*: No such file or directory
