pothos
commented
1 year ago Thanks. The systemd unit topic is interesting, I guess we could try to be close to the workflow we have for iptables config files and the Gentoo systemd unit looks like it fits well - if Flatcar follows the Gentoo way we could redirect to the Gentoo docs instead of writing our own docs.
Just for reference, a very different way of configuring nftables can be found on Fedora:
[Unit]
Description=Netfilter Tables
Documentation=man:nft(8)
Wants=network-pre.target
Before=network-pre.target
[Service]
Type=oneshot
ProtectSystem=full
ProtectHome=true
ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf
ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'
ExecStop=/sbin/nft flush ruleset
RemainAfterExit=yes
[Install]
WantedBy=multi-user.targetThe /etc/sysconfig/ file includes /etc/nftables/main.nft and both the service and the inclusion of the main.nft are disabled by default on my machine.
Current situation
We currently ship nftables-0.9.9 and no systemd unit to automatically apply rules at boot. Gentoo has nftables-1.0.5
Impact
Harder than necessary to enable nftables during boot.
Ideal future situation
nftables systemd unit part of flatcar image.
Implementation options
Update nftables ebuild in coreos-overlay (while checking which downstream changes are still necessary).
Additional information