File README.md of Package nftables-service

# nftables unit files

We currently ship 2 unit files to setup nftables rules with

## nftables-early.service

This service will be run before any network is started. The service will
try to load "/etc/nftables-early.conf" if it exists and will fall back to
"/etc/nftables.conf".

You want to use "/etc/nftables-early.conf", if you need firewall rules
up before all interfaces are available, especially things like vpn
interfaces which depend on basic networking themself. So create a basic
firewall ruleset here which allows connecting to your vpn and maybe SSH
and switch down to the full firewall in nftables.service.

If you use iifname/oifname rules in "/etc/nftables.conf" for interfaces
that do not exist yet, loading the rules will fail.

The nftables-early.service has no stop or reload action. After the boot
you always want to use nftables.service

## nftables.service

This service will load "/etc/nftables.conf". It will be started after
systemd's network.target, openvpn.target and wg-quick.target.  If you
have other services that provide network connections after the basic
network is up and you want nftables to wait for them, please use:

systemctl edit nftables.service

```
[Unit]
After=yourvpn.service
```

Please use this service after system startup.

## nftables auto support

If you want to preserve the current ruleset on shutdown, e.g. because you are
filling named sets from tools like fail2ban, then you can create
/var/lib/nftables/auto.conf.

The start and reload actions will prefer this file, if the file is not empty.
The stop action of the service will save the current ruleset to the file if
it is non-empty.