FS#61158 : [nftables] /etc/nftables.conf should use include feature of nftables instead of some preset rules

FS#61158 - [nftables] /etc/nftables.conf should use include feature of nftables instead of some preset rules

Attached to Project: Arch Linux
Opened by AMM (amish) - Sunday, 23 December 2018, 05:11 GMT
Last edited by Sébastien Luttringer (seblu) - Saturday, 05 October 2019, 14:20 GMT

Task Type	Feature Request
Category	Packages: Extra
Status	Closed
Assigned To	Sébastien Luttringer (seblu)
Architecture	All
Severity	Low
Priority	Normal
Reported Version
Due in Version	Undecided
Due Date	Undecided
Percent Complete
Votes	3 David Runge (dvzrv) (2019-09-08) nl6720 (nl6720) (2018-12-23) AMM (amish) (2018-12-23)
Private	No

Details

Description:
Currently Arch nftables ships with /etc/nftables.conf with some default rules which most users will need to modify (or fine tune) as per their choice and network.

It would be better if this file uses "include" statement and uses a subdirectory where rules can be placed by end user.

Possible suggestion:
1) Package a directory called /etc/nftables.conf.d

2) Ship current /etc/nftables.conf as /usr/share/nftables/arch-default.nft

2) Ship new /etc/nftables.conf
$ cat /etc/nftables.conf
# place your rules in a file with .nft extension in /etc/nftables.conf.d/
# you can find examples in /usr/share/nftables/
include "/etc/nftables.conf.d/*.nft"

3) To avoid breaking existing user configuration, have nftables.install as follows:
$ cat nftables.install
post_upgrade() {
if (( $(vercmp $2 1:0.9.0-2) <= 0 )); then
echo Migrating current nftables.conf to following new location.
else Please review /etc/nftables.conf.d/99-local.nft
echo especially if you used include statement
echo with relative paths instead of absolute paths

if [ -f etc/nftables.conf.pacnew ]; then
mv etc/nftables.conf etc/nftables.conf.d/99-local.nft
mv etc/nftables.conf.pacnew etc/nftables.conf
else
cp usr/share/nftables/arch-default.nft etc/nftables.conf.d/99-local.nft
fi
fi
}

This will avoid need for modifying /etc/nftables.conf file and user also gets better flexibility. Many popular packages systemd, httpd etc use such concept of using conf.d directories for customization.

This task depends upon

Closed by Sébastien Luttringer (seblu)
Saturday, 05 October 2019, 14:20 GMT
Reason for closing: Won't implement

Comment by nl6720 (nl6720) - Sunday, 23 December 2018, 08:35 GMT

If the file will be moved, I would additionally propose getting rid of the ".conf" extension in favor of ".nft". It would help with text editors that use the extension for syntax highlighting (e.g. Nano).
I.e.: /etc/nftables.nft & /etc/nftables.nft.d/ .

Comment by AMM (amish) - Sunday, 23 December 2018, 08:50 GMT

I agree with file being renamed to extension .nft but I do not agree with directory being renamed to extension .nft.d. Because .conf.d or just .d is more or less accepted standard for directory holding configuration files. So /etc/nftables.conf.d/ (I prefer this) or /etc/nftables.d/ is what I would propose.

PS:

Correction to script in my previous post:
else Please review /etc/nftables.conf.d/99-local.nft

else should be read as echo

Comment by nl6720 (nl6720) - Sunday, 23 December 2018, 09:02 GMT

/etc/nftables.conf.d/ without a /etc/nftables.conf would be very strange. I think one of these should be acceptable: /etc/nftables/, /etc/nftables.d/ or /etc/nftables.nft.d/ .

	Tasks related to this task (0)

Duplicate tasks of this task (0)

Arch Linux

FS#61158 - [nftables] /etc/nftables.conf should use include feature of nftables instead of some preset rules

Details

Loading...