| Message ID | 20141218134703.11fc792a@turingmachine |
|---|---|
| State | RFC |
| Delegated to: | Pablo Neira |
| Headers | show |
On Thursday 2014-12-18 13:47, Jörg Thalheim wrote: >+ >+nftables_confdir = ${sysconfdir} >+nftables_conf_DATA = nftables.conf Per systemd and distro directions, upstream-provided files should really really be located in /usr, not /etc (this location being reserved for machine- and user-specific tweaks). That's why something.service is provided in /usr(/lib/systemd/system/) rather rather than /etc/systemd/system, for example. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
18. Dezember 2014 13:56 Uhr, "Jan Engelhardt" <jengelh@inai.de> schrieb: > On Thursday 2014-12-18 13:47, Jörg Thalheim wrote: > >> + >> +nftables_confdir = ${sysconfdir} >> +nftables_conf_DATA = nftables.conf > > Per systemd and distro directions, upstream-provided files should really really be located in /usr, > not /etc > (this location being reserved for machine- and user-specific tweaks). > > That's why something.service is provided in /usr(/lib/systemd/system/) rather > rather than /etc/systemd/system, for example. This is what the code does (/usr/lib/systemd/system/nftables.service). In nftables.conf I have added some dummy rules, because the service file relies on it and will fails otherwise which is a bad default. > -- > To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in > the body of a message to majordomo@vger.kernel.org > More majordomo info at http://vger.kernel.org/majordomo-info.html -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Thursday 2014-12-18 14:02, Jörg Thalheim wrote: >18. Dezember 2014 13:56 Uhr, "Jan Engelhardt" <jengelh@inai.de> schrieb: >> On Thursday 2014-12-18 13:47, Jörg Thalheim wrote: >>> + >>> +nftables_confdir = ${sysconfdir} >>> +nftables_conf_DATA = nftables.conf >> >> Per systemd and distro directions, upstream-provided files should really really be located in /usr, >> not /etc >> (this location being reserved for machine- and user-specific tweaks). > >This is what the code does (/usr/lib/systemd/system/nftables.service). >In nftables.conf I have added some dummy rules, because the service file relies on it and >will fails otherwise which is a bad default. I mean the shipped nftables.conf, it ought to be installed to /usr(/share/nftables), similar to systemd services. If and when the user decides to procure his own rules, he will do so via his own nftables.conf, then located in /etc and - ideally - overriding the same-named file in /usr. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/configure.ac b/configure.ac index 57ea99d..5adb223 100644 --- a/configure.ac +++ b/configure.ac @@ -13,6 +13,8 @@ AC_CONFIG_MACRO_DIR([m4]) AM_INIT_AUTOMAKE([-Wall foreign subdir-objects tar-pax no-dist-gzip dist-bzip2 1.6]) +AC_PATH_TOOL(PKGCONFIG, pkg-config) + dnl kernel style compile messages m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])]) @@ -112,6 +114,36 @@ AC_TYPE_UINT16_T AC_TYPE_UINT32_T AC_TYPE_UINT64_T +AC_ARG_WITH(systemd, [ --with-systemd set directory for systemd service files], + [systemd_unitdir="$withval"; with_systemd=yes], + [systemd_unitdir=""; with_systemd=no]) +AC_SUBST(systemd_unitdir) + +AC_ARG_WITH(systemdutildir, [ --with-systemdutildir set directory for systemd helper scripts], + [systemd_utildir="$withval"], [systemd_utildir=""]) +AC_SUBST(systemd_utildir) + +AM_CONDITIONAL([INSTALL_SYSTEMD], [test "x$with_systemd" != xno]) +AM_COND_IF([INSTALL_SYSTEMD], + [AS_IF([test "x$PKGCONFIG" = "x"], + [AC_MSG_ERROR(Need pkg-config to enable systemd support.)], + + [AC_MSG_CHECKING(for systemd) + AS_IF([$PKGCONFIG --exists systemd], + [AC_MSG_RESULT(yes) + AS_IF([$PKGCONFIG --exists systemd], + [AS_IF([test "x$systemd_unit_dir" = "x"], + [ systemd_unitdir="`$PKGCONFIG --variable=systemdsystemunitdir systemd`"]) + AS_IF([test "x$systemd_util_dir" = "x"], + [ systemd_utildir="`$PKGCONFIG --variable=systemdutildir systemd`"]) + ]) + ] + [AC_MSG_RESULT(no)]) + ] + + )] +) + # Checks for library functions. AC_CHECK_FUNCS([memmove memset strchr strdup strerror strtoull]) @@ -124,10 +156,12 @@ AC_CONFIG_FILES([ \ doc/Makefile \ files/Makefile \ files/nftables/Makefile \ + files/systemd/Makefile \ ]) AC_OUTPUT echo " nft configuration: cli support: ${with_cli} + systemd support: ${with_systemd} enable debugging: ${with_debug}" diff --git a/files/Makefile.am b/files/Makefile.am index a8394c0..8045495 100644 --- a/files/Makefile.am +++ b/files/Makefile.am @@ -1 +1,9 @@ -SUBDIRS = nftables +SUBDIRS = nftables \ + systemd + +nftables_confdir = ${sysconfdir} +nftables_conf_DATA = nftables.conf + +install-data-hook: + ${SED} -i 's|@sbindir[@]|${sbindir}/|g;s|@sysconfdir[@]|${sysconfdir}/|g' \ + ${DESTDIR}${sysconfdir}/nftables.conf diff --git a/files/nftables.conf b/files/nftables.conf new file mode 100644 index 0000000..f572db5 --- /dev/null +++ b/files/nftables.conf @@ -0,0 +1,7 @@ +#! @sbindir@nft -f + +table inet filter { + chain input { type filter hook input priority 0; } + chain forward { type filter hook forward priority 0; } + chain output { type filter hook output priority 0; } +} diff --git a/files/nftables/nftables.conf b/files/nftables/nftables.conf new file mode 100644 index 0000000..e69de29 diff --git a/files/systemd/Makefile.am b/files/systemd/Makefile.am new file mode 100644 index 0000000..c0a56c8 --- /dev/null +++ b/files/systemd/Makefile.am @@ -0,0 +1,12 @@ + +if INSTALL_SYSTEMD +systemd_unit_DATA = nftables.service + +systemd_scriptsdir = ${systemd_utildir}/scripts +systemd_scripts_SCRIPTS = nftables-reload + +install-data-hook: + ${SED} -i 's|@sbindir[@]|${sbindir}/|g;s|@sysconfdir[@]|${sysconfdir}/|g;s|@systemd_scriptsdir[@]|${systemd_scriptsdir}/|g' \ + ${DESTDIR}${systemd_scriptsdir}/nftables-reload \ + ${DESTDIR}${systemd_unitdir}/nftables.service +endif diff --git a/files/systemd/nftables-reload b/files/systemd/nftables-reload new file mode 100755 index 0000000..d688cb6 --- /dev/null +++ b/files/systemd/nftables-reload @@ -0,0 +1,15 @@ +#!/bin/sh + +set -e + +if [ ! -f @sysconfdir@nftables.conf ] +then + echo "/etc/nftables.conf does not exist" >&2 + exit 1 +fi + +rules="$(mktemp nftables.XXXXXXXX)" +trap "rm -f $tmpfile" 0 1 2 3 15 +echo "flush ruleset" > "$rules" +cat @sysconfdir@nftables.conf >> "$rules" +@sbindir@nft -f "$rules" diff --git a/files/systemd/nftables.service b/files/systemd/nftables.service new file mode 100644 index 0000000..f958bfc --- /dev/null +++ b/files/systemd/nftables.service @@ -0,0 +1,12 @@ +[Unit] +Description=nftables +Documentation=man:nft(8) + +[Service] +RemainAfterExit=yes +ExecStart=@sbindir@nft -I /etc/nftables -f /etc/nftables.conf +ExecStop=@sbindir@nft flush ruleset +ExecReload=@systemd_scriptsdir@nftables-reload +
Signed-off-by: Jörg Thalheim <joerg@higgsboson.tk> --- configure.ac | 34 ++++++++++++++++++++++++++++++++++ files/Makefile.am | 10 +++++++++- files/nftables.conf | 7 +++++++ files/nftables/nftables.conf | 0 files/systemd/Makefile.am | 12 ++++++++++++ files/systemd/nftables-reload | 15 +++++++++++++++ files/systemd/nftables.service | 12 ++++++++++++ 7 files changed, 89 insertions(+), 1 deletion(-) create mode 100644 files/nftables.conf create mode 100644 files/nftables/nftables.conf create mode 100644 files/systemd/Makefile.am create mode 100755 files/systemd/nftables-reload create mode 100644 files/systemd/nftables.service