File project.diff of Package nftables-service
--- nftables-early-service.orig
+++ nftables-early-service
@@ -3,16 +3,19 @@
NFTABLES_CONFIG="/etc/nftables.conf"
NFTABLES_EARLY_CONFIG="/etc/nftables-early.conf"
+echo "Checking if an early loading configuration '${NFTABLES_EARLY_CONFIG}' exists"
if [ -e "${NFTABLES_EARLY_CONFIG}" ] ; then
- NFTABLES_CONFIG="${NFTABLES_EARLY_CONFIG}"
+ NFTABLES_CONFIG="${NFTABLES_EARLY_CONFIG}"
fi
echo "Interfaces which are set up already: "
/usr/sbin/ip --brief link show
+echo "Checking '${NFTABLES_USE_CONFIG}' for correctness"
if /usr/sbin/nft --check --file "${NFTABLES_CONFIG}" ; then
- echo "Loading '${NFTABLES_CONFIG}'"
- /usr/sbin/nft --file "${NFTABLES_CONFIG}"
+ echo "Loading '${NFTABLES_CONFIG}'"
+ /usr/sbin/nft --file "${NFTABLES_CONFIG}"
else
- echo "nft --check for '${NFTABLES_CONFIG}' failed. Not loading the config."
+ echo "nft --check for '${NFTABLES_CONFIG}' failed. Not loading the config."
+ exit 1
fi
--- nftables-early.service.orig
+++ nftables-early.service
@@ -5,6 +5,8 @@ Wants=network-pre.target systemd-udev-se
After=systemd-udev-settle.service
Before=network-pre.target shutdown.target
Conflicts=shutdown.target
+Conflicts=firewalld.service
+Conflicts=nftables.service
DefaultDependencies=no
[Service]
--- nftables-service.orig
+++ nftables-service
@@ -1,10 +1,69 @@
#!/bin/bash
+NFT="/usr/sbin/nft"
+
+NFTABLES_COMMAND="${1}"
+
NFTABLES_CONFIG="/etc/nftables.conf"
+NFTABLES_OLD_AUTO_CONFIG="/etc/nftables-auto.conf"
+NFTABLES_AUTO_CONFIG="/var/lib/nftables/auto.conf"
+NFTABLES_AUTO_MIGRATED="/var/lib/nftables/auto-migrated"
-if /usr/sbin/nft --check --file "${NFTABLES_CONFIG}" ; then
- echo "Loading '${NFTABLES_CONFIG}'"
- /usr/sbin/nft --file "${NFTABLES_CONFIG}"
-else
- echo "nft --check for '${NFTABLES_CONFIG}' failed. Not loading the config."
+if [ -e "${NFTABLES_OLD_AUTO_CONFIG}" ] ; then
+ if [ -e "${NFTABLES_AUTO_MIGRATED}" ] ; then
+ echo "Warning: Found an old style auto file ${NFTABLES_OLD_AUTO_CONFIG}. Those are no longer supported. The new path is ${NFTABLES_AUTO_CONFIG}. If you restore files from a backup, please restore them to the new path."
+ else
+ echo "Warning: Found an old style auto file ${NFTABLES_OLD_AUTO_CONFIG}. Moving to the new path ${NFTABLES_AUTO_CONFIG}."
+ mv "${NFTABLES_OLD_AUTO_CONFIG}" "${NFTABLES_AUTO_CONFIG}"
+ touch "${NFTABLES_AUTO_MIGRATED}"
+ fi
fi
+
+echo "Interfaces which are set up already: "
+/usr/sbin/ip --brief link show
+
+case "${NFTABLES_COMMAND}" in
+ start | reload)
+ NFTABLES_USE_CONFIG="${NFTABLES_CONFIG}"
+ echo "Checking if '${NFTABLES_AUTO_CONFIG}' exists."
+ if [ -e "${NFTABLES_AUTO_CONFIG}" ] ; then
+ echo "Found an autosave configuration file '${NFTABLES_AUTO_CONFIG}'. Checking if it is non zero size."
+ if [ -s "${NFTABLES_AUTO_CONFIG}" ] ; then
+ NFTABLES_USE_CONFIG="${NFTABLES_AUTO_CONFIG}"
+ else
+ echo "Not loading empty '${NFTABLES_AUTO_CONFIG}'. Falling back to '${NFTABLES_CONFIG}'."
+ fi
+ fi
+
+ echo "Checking '${NFTABLES_USE_CONFIG}' for correctness"
+ if ${NFT} --check --file "${NFTABLES_USE_CONFIG}" ; then
+ echo "Loading '${NFTABLES_USE_CONFIG}'"
+ ${NFT} --file "${NFTABLES_USE_CONFIG}"
+ else
+ echo "nft --check for '${NFTABLES_USE_CONFIG}' failed. Not loading the config."
+ exit 1
+ fi
+ ;;
+ stop)
+ NFTABLES_RULESET_LINECOUNT=$(nft list ruleset | wc -l)
+ if [ -e "${NFTABLES_AUTO_CONFIG}" ] ; then
+ echo "Found an autosave configuration file '${NFTABLES_AUTO_CONFIG}'. Checking if we have a ruleset for saving."
+ if [ $NFTABLES_RULESET_LINECOUNT -gt 0 ] ; then
+ echo "Saving current ruleset to '${NFTABLES_AUTO_CONFIG}'"
+ echo "flush ruleset" > "${NFTABLES_AUTO_CONFIG}"
+ ${NFT} list ruleset >> "${NFTABLES_AUTO_CONFIG}"
+ else
+ echo "Not saving empty ruleset"
+ fi
+ fi
+ echo "Flushing ruleset"
+ ${NFT} flush ruleset
+ ;;
+ *)
+ echo "Usage: ${0} (start|stop|reload)"
+ echo ""
+ echo "If '${NFTABLES_AUTO_CONFIG}' exists then the stop action will save the current ruleset to this file and load the config from this file, if it is not empty. In case of an empty file it will load the normal config file."
+ echo ""
+ echo "Otherwise '${NFTABLES_CONFIG}' will be used and the stop action will only flush the ruleset."
+ ;;
+esac
--- nftables-service.changes.orig
+++ nftables-service.changes
@@ -1,4 +1,125 @@
-------------------------------------------------------------------
+Wed Sep 24 20:25:51 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to 1.5.2
+ - Also show existing interfaces in the full script
+
+-------------------------------------------------------------------
+Wed Sep 24 19:54:36 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to 1.5.1
+ Add a bit more log output to better understand why loading
+ a configuration might hang.
+
+-------------------------------------------------------------------
+Fri Mar 14 11:43:52 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to 1.5.0
+ - disable the code that would keep migrating services
+
+-------------------------------------------------------------------
+Wed Mar 5 14:10:10 UTC 2025 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to 1.4.0
+ - nftables will now own nftables.service
+ our service is now renamed to nftables-full.service
+
+-------------------------------------------------------------------
+Thu Oct 10 14:04:59 UTC 2024 - Marcus Rueckert <mrueckert@suse.de>
+
+- conflict with at least the default firewalls so that they do not
+ run in parallel
+
+-------------------------------------------------------------------
+Tue Jul 18 16:04:22 UTC 2023 - Marcus Rueckert <mrueckert@suse.de>
+
+- config does not need the executable bit
+
+-------------------------------------------------------------------
+Wed Dec 8 08:51:08 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to 1.3.0
+ - Move the migration to the shell script and remember if we did
+ the migration already, so we don't move old files restored from
+ a backup over live data later.
+ - Add a warning if the old filename is still found after the
+ migration.
+ - drop DefaultDependencies=no from the unit file
+
+-------------------------------------------------------------------
+Wed Dec 8 08:33:39 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to 1.2.1
+ Move /etc/nftables-auto.conf to /var/lib/nftables/auto.conf in
+ %postun before the restart
+
+-------------------------------------------------------------------
+Wed Dec 8 08:25:49 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to 1.2.0
+ /etc/nftables-auto.conf now lives in /var/lib/nftables/auto.conf.
+ This is a much cleaner place for a state file anyway and we can
+ then just allow writing to /var/lib/nftables/ in the unit file,
+ and that directory will always exist.
+
+-------------------------------------------------------------------
+Thu Nov 11 20:00:34 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
+
+- revert the previsous change as it only works when the auto file
+ also exists
+
+-------------------------------------------------------------------
+Thu Nov 11 14:56:07 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
+
+- make sure we can write nftables-auto.conf and still use the
+ systemd protections
+
+-------------------------------------------------------------------
+Sat Apr 10 17:35:51 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to version 1.1.5
+ Also track /etc/nftables for includes
+
+-------------------------------------------------------------------
+Mon Mar 15 14:38:58 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to version 1.1.4
+ Revert previous change as it would cause a warning in the log for
+ people not using the auto feature
+
+-------------------------------------------------------------------
+Mon Mar 15 14:34:33 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to version 1.1.3
+ Simplify logic for auto config file even more
+
+-------------------------------------------------------------------
+Sat Mar 13 23:46:23 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to version 1.1.2
+ Simplify logic for deciding if we want to load the auto config
+ file
+- add COPYING file
+
+-------------------------------------------------------------------
+Sat Mar 13 23:39:21 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to version 1.1.1
+ Make sure we also add a flush ruleset line to the dumped file
+
+-------------------------------------------------------------------
+Sat Mar 13 22:49:56 UTC 2021 - Christian Boltz <suse-beta@cboltz.de>
+
+- exit 1 if nftables.conf is invalid
+
+-------------------------------------------------------------------
+Sat Mar 13 21:51:38 UTC 2021 - Marcus Rueckert <mrueckert@suse.de>
+
+- Update to version 1.1
+ Support for /etc/nftables-auto.conf.
+ See README.md for the specifics.
+
+-------------------------------------------------------------------
Fri Mar 5 13:47:50 UTC 2021 - Daniel Molkentin <daniel.molkentin@suse.com>
- make nftable.conf file executable, as it has a !# header
--- nftables-service.spec.orig
+++ nftables-service.spec
@@ -17,10 +17,16 @@
#
-%define services nftables-early.service nftables.service
+%define services nftables-early.service nftables-full.service
+%define homedir /var/lib/nftables
+
+%define trigger_file_enabled /run/nftables-service-was-enabled
+%define trigger_file_active /run/nftables-service-was-active
+
+%bcond_with ensure_service_continuity
Name: nftables-service
-Version: 1.0
+Version: 1.5.2
Release: 0
Summary: Service wrapper for nftables
License: GPL-2.0-only
@@ -28,10 +34,12 @@ Group: Productivity/Networking/
URL: https://netfilter.org/projects/nftables/
Source0: nftables.conf
Source1: nftables-early.service
-Source2: nftables.service
+Source2: nftables-full.service
Source3: nftables-early-service
Source4: nftables-service
-Source5: README.SUSE
+Source5: README.md
+Source6: TODO.md
+Source7: COPYING
BuildRequires: pkgconfig
BuildRequires: systemd-rpm-macros
BuildRequires: pkgconfig(systemd)
@@ -47,25 +55,38 @@ Service wrapper for nftables inspired by
%prep
%build
-cp %{SOURCE5} .
+cp %{SOURCE5} %{SOURCE6} %{SOURCE7} .
%install
install -D -d -m 0755 \
%{buildroot}%{_sbindir} \
%{buildroot}%{_unitdir} \
- %{buildroot}%{_sysconfdir}
+ %{buildroot}%{_sysconfdir}/nftables \
+ %{buildroot}%{homedir}
#
-install -m 0755 %{SOURCE0} %{buildroot}%{_sysconfdir}/nftables.conf
+install -m 0644 %{SOURCE0} %{buildroot}%{_sysconfdir}/nftables.conf
touch %{buildroot}%{_sysconfdir}/nftables-early.conf
#
install -m 0644 %{SOURCE1} %{SOURCE2} %{buildroot}%{_unitdir}
install -m 0755 %{SOURCE3} %{SOURCE4} %{buildroot}%{_sbindir}
#
-ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcnftables
+ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcnftables-full
ln -s %{_sbindir}/service %{buildroot}%{_sbindir}/rcnftables-early
%pre
+%if %{with ensure_service_continuity}
+if /bin/systemctl is-enabled nftables.service > /dev/null ; then
+ if "$(rpm --qf '%%{name}\n' -qf /usr/lib/systemd/system/nftables.service)" = "%{name}" ; then
+ echo "found existing nftables.service from nftables-service the package"
+ touch %{trigger_file_enabled}
+ if /bin/systemctl is-enabled nftables.service > /dev/null ; then
+ echo "found running nftables.service from nftables-service the package"
+ touch %{trigger_file_active}
+ fi
+ fi
+fi
+%endif
%service_add_pre %{services}
%post
@@ -77,19 +98,35 @@ ln -s %{_sbindir}/service %{
%postun
%service_del_postun %{services}
+%if %{with ensure_service_continuity}
+%posttrans
+if [ -e %{trigger_file_enabled} ] ; then
+ if [ -e %{trigger_file_active} ] ; then
+ now="--now"
+ rm %{trigger_file_active}
+ fi
+ /bin/systemctl enable ${now} nftables-full.service
+ rm %{trigger_file_enabled}
+fi
+%endif
+
%files
-%doc README.SUSE
+%doc README.md TODO.md
+%license COPYING
#
+%config(noreplace) %dir %{_sysconfdir}/nftables/
%config(noreplace) %{_sysconfdir}/nftables.conf
%config(noreplace) %ghost %{_sysconfdir}/nftables-early.conf
#
-%{_unitdir}/nftables.service
+%{_unitdir}/nftables-full.service
%{_unitdir}/nftables-early.service
#
%{_sbindir}/nftables-service
%{_sbindir}/nftables-early-service
#
-%{_sbindir}/rcnftables
+%{_sbindir}/rcnftables-full
%{_sbindir}/rcnftables-early
+%dir %{homedir}
+
%changelog
--- nftables.conf.orig
+++ nftables.conf
@@ -1,5 +1,3 @@
-#!/usr/sbin/nft -f
-
flush ruleset
table inet filter {
