[packages/nftables] add systemd unit and sample global config in /etc/sysconfig

atler atler at pld-linux.org
Sun Dec 27 12:44:11 CET 2020 

commit 19bb6686c0cd69c9f6fda4acbdd3cdbd86740f90
Author: Jan Palus <atler at pld-linux.org>
Date:   Sun Dec 27 12:42:40 2020 +0100

    add systemd unit and sample global config in /etc/sysconfig

 nftables.conf    | 17 +++++++++++++++++
 nftables.service | 17 +++++++++++++++++
 nftables.spec    | 37 +++++++++++++++++++++++++++++++++++--
 3 files changed, 69 insertions(+), 2 deletions(-)
---
diff --git a/nftables.spec b/nftables.spec
index 02d1dd9..d43744f 100644
--- a/nftables.spec
+++ b/nftables.spec
@@ -1,3 +1,7 @@
+#
+# Conditional build:
+%bcond_without	systemd		# without systemd unit
+
 Summary:	Administration tool for packet filtering and classification
 Summary(pl.UTF-8):	Narzędzie administracyjne do filtrowania i klasyfikacji pakietów
 Name:		nftables
@@ -7,6 +11,8 @@ License:	GPL v2
 Group:		Applications/Networking
 Source0:	https://netfilter.org/projects/nftables/files/%{name}-%{version}.tar.bz2
 # Source0-md5:	3214083f71c5b04a40762f59fa08cea0
+Source1:	%{name}.service
+Source2:	%{name}.conf
 Patch0:		%{name}-python.patch
 URL:		https://netfilter.org/projects/nftables/
 BuildRequires:	asciidoc
@@ -28,6 +34,7 @@ BuildRequires:	rpmbuild(macros) >= 1.219
 Requires:	iptables-libs >= 1.6.1
 Requires:	libmnl >= 1.0.4
 Requires:	libnftnl >= 1.1.7
+%{?with_systemd:Requires:	systemd-units >= 38}
 BuildRoot:	%{tmpdir}/%{name}-%{version}-root-%(id -u -n)
 
 %description
@@ -104,9 +111,24 @@ Wiązania Pythona do biblioteki libnftables.
 %install
 rm -rf $RPM_BUILD_ROOT
 
+install -d $RPM_BUILD_ROOT{%{_sysconfdir}/sysconfig,%{systemdunitdir}}
+
 %{__make} install \
         DESTDIR=$RPM_BUILD_ROOT
 
+cp %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/%{name}
+sed -i -e 's|@NFT@|%{_sbindir}/nft|' \
+	$RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/%{name}
+
+%if %{with systemd}
+cp %{SOURCE1} $RPM_BUILD_ROOT%{systemdunitdir}
+sed -i -e '{
+	s|@NFT@|%{_sbindir}/nft|
+	s|@CONF@|%{_sysconfdir}/sysconfig/%{name}|
+}' \
+	$RPM_BUILD_ROOT%{systemdunitdir}/%{name}.service
+%endif
+
 # obsoleted by pkg-config
 %{__rm} $RPM_BUILD_ROOT%{_libdir}/libnftables.la
 
@@ -115,8 +137,17 @@ rm -rf $RPM_BUILD_ROOT
 %clean
 rm -rf $RPM_BUILD_ROOT
 
-%post	-p /sbin/ldconfig
-%postun	-p /sbin/ldconfig
+%post
+/sbin/ldconfig
+%{?with_systemd:%systemd_post %{name}.service}
+
+%preun
+%{?with_systemd:%systemd_preun %{name}.service}
+
+%postun
+/sbin/ldconfig
+%{?with_systemd:%systemd_reload}
+
 
 %files
 %defattr(644,root,root,755)
@@ -138,11 +169,13 @@ rm -rf $RPM_BUILD_ROOT
 %attr(740,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/nftables/netdev-ingress.nft
 %dir %{_sysconfdir}/nftables/osf
 %attr(740,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/nftables/osf/pf.os
+%attr(740,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/sysconfig/%{name}
 %attr(755,root,root) %{_libdir}/libnftables.so.*.*.*
 %attr(755,root,root) %ghost %{_libdir}/libnftables.so.1
 %doc %{_docdir}/nftables
 %{_mandir}/man5/libnftables-json.5*
 %{_mandir}/man8/nft.8*
+%{?with_systemd:%{systemdunitdir}/%{name}.service}
 
 %files devel
 %defattr(644,root,root,755)
diff --git a/nftables.conf b/nftables.conf
new file mode 100644
index 0000000..c873f5a
--- /dev/null
+++ b/nftables.conf
@@ -0,0 +1,17 @@
+#!@NFT@ -f
+# This file will contain your nftables rules and
+# is read by the systemd service when restarting
+#
+# These provide an iptables like set of filters
+# (uncomment to include)
+# include "/etc/nftables/arp-filter.nft"
+# include "/etc/nftables/bridge-filter.nft"
+# include "/etc/nftables/inet-filter.nft"
+# include "/etc/nftables/ipv4-filter.nft"
+# include "/etc/nftables/ipv4-mangle.nft"
+# include "/etc/nftables/ipv4-nat.nft"
+# include "/etc/nftables/ipv4-raw.nft"
+# include "/etc/nftables/ipv6-filter.nft"
+# include "/etc/nftables/ipv6-mangle.nft"
+# include "/etc/nftables/ipv6-nat.nft"
+# include "/etc/nftables/ipv6-raw.nft"
diff --git a/nftables.service b/nftables.service
new file mode 100644
index 0000000..dfc4fb0
--- /dev/null
+++ b/nftables.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=Netfilter Tables
+Documentation=man:nft(8)
+Wants=network-pre.target
+Before=network-pre.target
+
+[Service]
+Type=oneshot
+ProtectSystem=full
+ProtectHome=true
+ExecStart=@NFT@ -f @CONF@ 
+ExecReload=@NFT@ 'flush ruleset; include "@CONF@";'
+ExecStop=@NFT@ flush ruleset
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/nftables.git/commitdiff/19bb6686c0cd69c9f6fda4acbdd3cdbd86740f90

More information about the pld-cvs-commit mailing list