[packages/nftables] add systemd unit and sample global config in /etc/sysconfig
atler
atler at pld-linux.org
Sun Dec 27 12:44:11 CET 2020
commit 19bb6686c0cd69c9f6fda4acbdd3cdbd86740f90
Author: Jan Palus <atler at pld-linux.org>
Date: Sun Dec 27 12:42:40 2020 +0100
add systemd unit and sample global config in /etc/sysconfig
nftables.conf | 17 +++++++++++++++++
nftables.service | 17 +++++++++++++++++
nftables.spec | 37 +++++++++++++++++++++++++++++++++++--
3 files changed, 69 insertions(+), 2 deletions(-)
---
diff --git a/nftables.spec b/nftables.spec
index 02d1dd9..d43744f 100644
--- a/nftables.spec
+++ b/nftables.spec
@@ -1,3 +1,7 @@
+#
+# Conditional build:
+%bcond_without systemd # without systemd unit
+
Summary: Administration tool for packet filtering and classification
Summary(pl.UTF-8): Narzędzie administracyjne do filtrowania i klasyfikacji pakietów
Name: nftables
@@ -7,6 +11,8 @@ License: GPL v2
Group: Applications/Networking
Source0: https://netfilter.org/projects/nftables/files/%{name}-%{version}.tar.bz2
# Source0-md5: 3214083f71c5b04a40762f59fa08cea0
+Source1: %{name}.service
+Source2: %{name}.conf
Patch0: %{name}-python.patch
URL: https://netfilter.org/projects/nftables/
BuildRequires: asciidoc
@@ -28,6 +34,7 @@ BuildRequires: rpmbuild(macros) >= 1.219
Requires: iptables-libs >= 1.6.1
Requires: libmnl >= 1.0.4
Requires: libnftnl >= 1.1.7
+%{?with_systemd:Requires: systemd-units >= 38}
BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n)
%description
@@ -104,9 +111,24 @@ Wiązania Pythona do biblioteki libnftables.
%install
rm -rf $RPM_BUILD_ROOT
+install -d $RPM_BUILD_ROOT{%{_sysconfdir}/sysconfig,%{systemdunitdir}}
+
%{__make} install \
DESTDIR=$RPM_BUILD_ROOT
+cp %{SOURCE2} $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/%{name}
+sed -i -e 's|@NFT@|%{_sbindir}/nft|' \
+ $RPM_BUILD_ROOT%{_sysconfdir}/sysconfig/%{name}
+
+%if %{with systemd}
+cp %{SOURCE1} $RPM_BUILD_ROOT%{systemdunitdir}
+sed -i -e '{
+ s|@NFT@|%{_sbindir}/nft|
+ s|@CONF@|%{_sysconfdir}/sysconfig/%{name}|
+}' \
+ $RPM_BUILD_ROOT%{systemdunitdir}/%{name}.service
+%endif
+
# obsoleted by pkg-config
%{__rm} $RPM_BUILD_ROOT%{_libdir}/libnftables.la
@@ -115,8 +137,17 @@ rm -rf $RPM_BUILD_ROOT
%clean
rm -rf $RPM_BUILD_ROOT
-%post -p /sbin/ldconfig
-%postun -p /sbin/ldconfig
+%post
+/sbin/ldconfig
+%{?with_systemd:%systemd_post %{name}.service}
+
+%preun
+%{?with_systemd:%systemd_preun %{name}.service}
+
+%postun
+/sbin/ldconfig
+%{?with_systemd:%systemd_reload}
+
%files
%defattr(644,root,root,755)
@@ -138,11 +169,13 @@ rm -rf $RPM_BUILD_ROOT
%attr(740,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/nftables/netdev-ingress.nft
%dir %{_sysconfdir}/nftables/osf
%attr(740,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/nftables/osf/pf.os
+%attr(740,root,root) %config(noreplace) %verify(not md5 mtime size) %{_sysconfdir}/sysconfig/%{name}
%attr(755,root,root) %{_libdir}/libnftables.so.*.*.*
%attr(755,root,root) %ghost %{_libdir}/libnftables.so.1
%doc %{_docdir}/nftables
%{_mandir}/man5/libnftables-json.5*
%{_mandir}/man8/nft.8*
+%{?with_systemd:%{systemdunitdir}/%{name}.service}
%files devel
%defattr(644,root,root,755)
diff --git a/nftables.conf b/nftables.conf
new file mode 100644
index 0000000..c873f5a
--- /dev/null
+++ b/nftables.conf
@@ -0,0 +1,17 @@
+#!@NFT@ -f
+# This file will contain your nftables rules and
+# is read by the systemd service when restarting
+#
+# These provide an iptables like set of filters
+# (uncomment to include)
+# include "/etc/nftables/arp-filter.nft"
+# include "/etc/nftables/bridge-filter.nft"
+# include "/etc/nftables/inet-filter.nft"
+# include "/etc/nftables/ipv4-filter.nft"
+# include "/etc/nftables/ipv4-mangle.nft"
+# include "/etc/nftables/ipv4-nat.nft"
+# include "/etc/nftables/ipv4-raw.nft"
+# include "/etc/nftables/ipv6-filter.nft"
+# include "/etc/nftables/ipv6-mangle.nft"
+# include "/etc/nftables/ipv6-nat.nft"
+# include "/etc/nftables/ipv6-raw.nft"
diff --git a/nftables.service b/nftables.service
new file mode 100644
index 0000000..dfc4fb0
--- /dev/null
+++ b/nftables.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=Netfilter Tables
+Documentation=man:nft(8)
+Wants=network-pre.target
+Before=network-pre.target
+
+[Service]
+Type=oneshot
+ProtectSystem=full
+ProtectHome=true
+ExecStart=@NFT@ -f @CONF@
+ExecReload=@NFT@ 'flush ruleset; include "@CONF@";'
+ExecStop=@NFT@ flush ruleset
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/nftables.git/commitdiff/19bb6686c0cd69c9f6fda4acbdd3cdbd86740f90
More information about the pld-cvs-commit
mailing list