Package: nftables
Version: 1.1.3-1
Severity: wishlist
Dear Maintainer,
nftables simplifies the co-existence of multiple Debian packages
providing their own firewall configuration snippets.
Previously (with iptables) multiple sources of firewall rules needed
some kind of coordination for injecting their rules into "INPUT"
(or other chains) in a suitable order.
Now all sources of firewall rules may simply create their own custom
chains with the "type filter hook input" along with their desired
priority.
The only missing piece in this puzzle is the current absence of a
pre-configured location for firewall configuration files.
I suggest the following changes to the nftables package:
- add the following line to the end of /etc/nftables.conf:
include "/etc/nftables.d/*.conf"
- ship the file /etc/nftables.d/README describing the handling of
"*.conf" files in this directory
This would allow packages like fail2ban or docker.io to provide their
firewall configuration snippets in a known location.
In addition it would allow automation (e.g. ansible) to place local
firewall configurations in an existing directory without requiring the
modification of /etc/nftables.conf.
The same style of configuration interface is used by many other Debian
packages:
- /etc/apache2/sites-enabled/
- /etc/apparmor.d/
- /etc/apt/apt.conf.d
- /etc/cron.d
- /etc/ferm/ferm.d/
- /etc/grub.d
- /etc/ssh/sshd_config.d
- /etc/sudoers.d
(and many more)
Thank you for your time!
Cheers,
Lars
