Re: [PATCH] tools: add a systemd unit for static rulesets

[Phil Sutter <phil@nwl.cc>]

Hi,

I'm comparing this with what we have in RHEL/Fedora:

On Thu, Mar 06, 2025 at 09:16:05AM -0500, Eric Garver wrote:
> On Fri, Feb 28, 2025 at 09:59:35PM +0100, Jan Engelhardt wrote:
[...]
> > diff --git a/files/nftables/main.nft b/files/nftables/main.nft
> > new file mode 100644
> > index 00000000..8e62f9bc
> > --- /dev/null
> > +++ b/files/nftables/main.nft
> > @@ -0,0 +1,24 @@
> > +#!/usr/sbin/nft -f
> > +
> > +# template static firewall configuration file
> > +#
> > +# copy this over to /etc/nftables/rules/main.nft as a starting point for
> > +# configuring a rule set which will be loaded by nftables.service.
> > +
> > +flush ruleset

We do flush here as well, but in our case it's a bit redundant. (See
below.)

> > +
> > +table inet filter {
> > +	chain input {
> > +		type filter hook input priority filter;
> > +	}
> > +	chain forward {
> > +		type filter hook forward priority filter;
> > +	}
> > +	chain output {
> > +		type filter hook output priority filter;
> > +	}
> > +}
> > +
> > +# this can be used to split the rule set into multiple smaller files concerned
> > +# with specific topics, like forwarding rules
> > +#include "/etc/nftables/rules/forwarding.nft"
> > diff --git a/tools/nftables.service.8 b/tools/nftables.service.8
> > new file mode 100644
> > index 00000000..4a83b01c
> > --- /dev/null
> > +++ b/tools/nftables.service.8
> > @@ -0,0 +1,18 @@
> > +.TH nftables.service 8 "" "nftables" "nftables admin reference"
> > +.SH Name
> > +nftables.service \(em Static Firewall Configuration with nftables.service
> > +.SH Description
> > +An nftables systemd service is provided which allows to setup static firewall
> > +rulesets based on a configuration file.
> > +.PP
> > +To use this service, you need to create the main configuration file in
> > +/etc/nftables/rules/main.nft. A template for this can be copied from
> > +/usr/share/doc/nftables/main.nft. The static firewall configuration can be
> > +split up into multiple files which are included from the main.nft
> > +configuration file.
> 
> I think it's worth mentioning that a user could alternatively do:
> 
>   # nft list ruleset > /etc/nftables/rules/main.nft
> 
> to save the entire running ruleset. That's what I do. Mostly because I
> want to make sure runtime accepts it before I make it permanent.
> 
> Perhaps this is not mentioned due to the `flush ruleset`. We could
> suggest saving runtime to a file that's included from main.nft, thus
> retaining the flush.

In RHEL/Fedora, the unit script feeds /etc/sysconfig/nftables.conf into
nft. So this is the "top level" config which by default contains:

| # Uncomment the include statement here to load the default config sample
| # in /etc/nftables for nftables service.
| 
| #include "/etc/nftables/main.nft"
| 
| # To customize, either edit the samples in /etc/nftables, append further
| # commands to the end of this file or overwrite it after first service
| # start by calling: 'nft list ruleset >/etc/sysconfig/nftables.conf'.

The last paragraph is crucial: We want to allow users to either:

- Customize the sample config provided by the distribution (more on that later)
- Extend it by extra ruleset snippets (similar to a /etc/vim/vimrc.local)
- Override the whole thing without much hassle

To support the latter, our unit script does:

| ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'

This way nftables.conf may contain just the output of 'nft list
ruleset', no initial 'flush ruleset' is needed.

The sample configs are not just empty chains as proposed here but
actually contain rules which should not just help users get going but
also showcase nftables features a bit. Also there is mitigation of the
Port Shadow attack (CVE-2021-3773) in the sample nat.nft file:

https://src.fedoraproject.org/rpms/nftables/blob/rawhide/f/main.nft
https://src.fedoraproject.org/rpms/nftables/blob/rawhide/f/router.nft
https://src.fedoraproject.org/rpms/nftables/blob/rawhide/f/nat.nft

IMO we should at least include the builtin 'flush ruleset' in ExecReload
action. What are your opinions about Fedora's sample configs? The
content should be fine for generic purposes, merely
/etc/sysconfig/nftables.conf location should be changed, maybe to
/etc/nftables/nftables.conf.

Cheers, Phil