From: "Jörg Thalheim" <joerg@higgsboson.tk>
To: netfilter-devel@vger.kernel.org
Subject: Re: [PATCH v2] add systemd service file
Date: Fri, 20 Mar 2015 10:53:20 +0100 [thread overview]
Message-ID: <20150320105320.58266b67@turingmachine> (raw)
[-- Attachment #1: Type: text/plain, Size: 4884 bytes --]
The last PATCH was rejected, because it has added an integration script.
This PATCH however only adds a service file, with no other dependency but the
userpace nft program.
my motivation was the following:
- Providing a service file upstream hopefully lead to consistent behaviour across distributions
- The people, who know how to deal with nft, are usually the upstream developer itself
- The provided service should be reusable without any modification in any distribution
and should preserve maintainers from reinventing the wheel all the time
(debian currently does not provide atomic reloading in sid for example;
archlinux does, but it doesn't set ProtectSystem and ProtectHome)
I hope you can agree with this. Thanks
On Wed, 17 Dec 2014 17:08:46 +0100
Jörg Thalheim <joerg@higgsboson.tk> wrote:
> Signed-off-by: Jörg Thalheim <joerg@higgsboson.tk>
> ---
> configure.ac | 30 +++++++++++++++++++++++++++++-
> files/Makefile.am | 3 ++-
> files/nftables/nftables.conf | 0
> files/systemd/Makefile.am | 7 +++++++
> files/systemd/nftables.service | 17 +++++++++++++++++
> 5 files changed, 55 insertions(+), 2 deletions(-)
> create mode 100644 files/nftables/nftables.conf
> create mode 100644 files/systemd/Makefile.am
> create mode 100644 files/systemd/nftables.service
>
> diff --git a/configure.ac b/configure.ac
> index d8f949a..f4352a6 100644
> --- a/configure.ac
> +++ b/configure.ac
> @@ -13,6 +13,8 @@ AC_CONFIG_MACRO_DIR([m4])
> AM_INIT_AUTOMAKE([-Wall foreign subdir-objects
> tar-pax no-dist-gzip dist-bzip2 1.6])
>
> +AC_PATH_TOOL(PKGCONFIG, pkg-config)
> +
> dnl kernel style compile messages
> m4_ifdef([AM_SILENT_RULES], [AM_SILENT_RULES([yes])])
>
> @@ -117,6 +119,30 @@ AC_TYPE_UINT16_T
> AC_TYPE_UINT32_T
> AC_TYPE_UINT64_T
>
> +AC_ARG_WITH(systemd, [ --with-systemd set directory for
> systemd service files],
> + [systemd_unitdir="$withval"; with_systemd=yes],
> + [systemd_unitdir=""; with_systemd=no])
> +AC_SUBST(systemd_unitdir)
> +
> +AM_CONDITIONAL([INSTALL_SYSTEMD], [test "x$with_systemd" != xno])
> +AM_COND_IF([INSTALL_SYSTEMD],
> + [AS_IF([test "x$PKGCONFIG" = "x"],
> + [AC_MSG_ERROR(Need pkg-config to enable systemd
> support.)], +
> + [AC_MSG_CHECKING(for systemd)
> + AS_IF([$PKGCONFIG --exists systemd],
> + [AC_MSG_RESULT(yes)
> + AS_IF([$PKGCONFIG --exists systemd],
> + [AS_IF([test "x$systemd_unit_dir" = "x"],
> + [ systemd_unitdir="`$PKGCONFIG
> --variable=systemdsystemunitdir systemd`"])
> + ])
> + ]
> + [AC_MSG_RESULT(no)])
> + ]
> +
> + )]
> +)
> +
> # Checks for library functions.
> AC_CHECK_FUNCS([memmove memset strchr strdup strerror strtoull])
>
> @@ -129,6 +155,7 @@
> AC_CONFIG_FILES([ \
> doc/Makefile \
> files/Makefile \
> files/nftables/Makefile \
> + files/systemd/Makefile \
> ])
> AC_OUTPUT
>
> @@ -136,4 +163,5 @@ echo "
> nft configuration:
> cli support: ${with_cli}
> enable debugging: ${with_debug}
> - use mini-gmp: ${with_mini_gmp}"
> + use mini-gmp: ${with_mini_gmp}
> + systemd support: ${with_systemd}"
> diff --git a/files/Makefile.am b/files/Makefile.am
> index a8394c0..4dc0027 100644
> --- a/files/Makefile.am
> +++ b/files/Makefile.am
> @@ -1 +1,2 @@
> -SUBDIRS = nftables
> +SUBDIRS = nftables \
> + systemd
> diff --git a/files/nftables/nftables.conf
> b/files/nftables/nftables.conf new file mode 100644
> index 0000000..e69de29
> diff --git a/files/systemd/Makefile.am b/files/systemd/Makefile.am
> new file mode 100644
> index 0000000..2bf8580
> --- /dev/null
> +++ b/files/systemd/Makefile.am
> @@ -0,0 +1,7 @@
> +if INSTALL_SYSTEMD
> +systemd_unit_DATA = nftables.service
> +
> +install-data-hook:
> + ${SED} -i
> 's|@sbindir[@]|${sbindir}/|g;s|@sysconfdir[@]|${sysconfdir}/|g' \
> + ${DESTDIR}${systemd_unitdir}/nftables.service
> +endif
> diff --git a/files/systemd/nftables.service
> b/files/systemd/nftables.service new file mode 100644
> index 0000000..bdb12cf
> --- /dev/null
> +++ b/files/systemd/nftables.service
> @@ -0,0 +1,17 @@
> +[Unit]
> +Description=Netfilter Tables
> +Documentation=man:nft(8)
> +Wants=network-pre.target
> +Before=network-pre.target
> +
> +[Service]
> +Type=oneshot
> +ProtectSystem=full
> +ProtectHome=true
> +ExecStart=@sbindir@nft -f /etc/nftables.conf
> +ExecReload=@sbindir@nft 'flush ruleset; include
> "/etc/nftables.conf";' +ExecStop=@sbindir@nft flush ruleset
> +RemainAfterExit=yes
> +
> +[Install]
> +WantedBy=multi-user.target
[-- Attachment #2: OpenPGP digital signature --]
[-- Type: application/pgp-signature, Size: 603 bytes --]
next reply other threads:[~2015-03-20 10:08 UTC|newest]
Thread overview: 5+ messages / expand[flat|nested] mbox.gz Atom feed top
2015-03-20 9:53 Jörg Thalheim [this message]
2015-03-20 10:25 ` [PATCH v2] add systemd service file Arturo Borrero Gonzalez
2015-03-21 17:45 ` Patrick McHardy
-- strict thread matches above, loose matches on Subject: below --
2015-03-20 9:53 Jörg Thalheim
2015-03-20 11:06 ` Jan Engelhardt
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=20150320105320.58266b67@turingmachine \
--to=joerg@higgsboson.tk \
--cc=netfilter-devel@vger.kernel.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox;
as well as URLs for NNTP newsgroup(s).