FS#61158 - [nftables] /etc/nftables.conf should use include feature of nftables instead of some preset rules
Attached to Project:
Arch Linux
Opened by AMM (amish) - Sunday, 23 December 2018, 05:11 GMT
Last edited by Sébastien Luttringer (seblu) - Saturday, 05 October 2019, 14:20 GMT
Opened by AMM (amish) - Sunday, 23 December 2018, 05:11 GMT
Last edited by Sébastien Luttringer (seblu) - Saturday, 05 October 2019, 14:20 GMT
|
Details
Description:
Currently Arch nftables ships with /etc/nftables.conf with some default rules which most users will need to modify (or fine tune) as per their choice and network. It would be better if this file uses "include" statement and uses a subdirectory where rules can be placed by end user. Possible suggestion: 1) Package a directory called /etc/nftables.conf.d 2) Ship current /etc/nftables.conf as /usr/share/nftables/arch-default.nft 2) Ship new /etc/nftables.conf $ cat /etc/nftables.conf # place your rules in a file with .nft extension in /etc/nftables.conf.d/ # you can find examples in /usr/share/nftables/ include "/etc/nftables.conf.d/*.nft" 3) To avoid breaking existing user configuration, have nftables.install as follows: $ cat nftables.install post_upgrade() { if (( $(vercmp $2 1:0.9.0-2) <= 0 )); then echo Migrating current nftables.conf to following new location. else Please review /etc/nftables.conf.d/99-local.nft echo especially if you used include statement echo with relative paths instead of absolute paths if [ -f etc/nftables.conf.pacnew ]; then mv etc/nftables.conf etc/nftables.conf.d/99-local.nft mv etc/nftables.conf.pacnew etc/nftables.conf else cp usr/share/nftables/arch-default.nft etc/nftables.conf.d/99-local.nft fi fi } This will avoid need for modifying /etc/nftables.conf file and user also gets better flexibility. Many popular packages systemd, httpd etc use such concept of using conf.d directories for customization. |
This task depends upon
Closed by Sébastien Luttringer (seblu)
Saturday, 05 October 2019, 14:20 GMT
Reason for closing: Won't implement
Saturday, 05 October 2019, 14:20 GMT
Reason for closing: Won't implement
I.e.: /etc/nftables.nft & /etc/nftables.nft.d/ .
PS:
Correction to script in my previous post:
else Please review /etc/nftables.conf.d/99-local.nft
else should be read as echo