commit: 96b47bf70929b78f8dc593c047b119fa88483403 Author: Matt Turner <mattst88 <AT> gentoo <DOT> org> AuthorDate: Wed Mar 12 03:15:52 2025 +0000 Commit: Matt Turner <mattst88 <AT> gentoo <DOT> org> CommitDate: Mon Mar 31 16:08:21 2025 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=96b47bf7
net-firewall/nftables: Split systemd service into separate load/store Closes: https://bugs.gentoo.org/951168 Signed-off-by: Matt Turner <mattst88 <AT> gentoo.org> .../nftables/files/systemd/nftables-load.service | 14 +++++++++++++ .../nftables/files/systemd/nftables-store.service | 11 +++++++++++ ...tables-9999.ebuild => nftables-1.1.1-r1.ebuild} | 23 +++++++++++++--------- net-firewall/nftables/nftables-9999.ebuild | 23 +++++++++++++--------- 4 files changed, 53 insertions(+), 18 deletions(-) diff --git a/net-firewall/nftables/files/systemd/nftables-load.service b/net-firewall/nftables/files/systemd/nftables-load.service new file mode 100644 index 000000000000..149ccac2f5f0 --- /dev/null +++ b/net-firewall/nftables/files/systemd/nftables-load.service @@ -0,0 +1,14 @@ +[Unit] +Description=Load nftables firewall rules +# if both are queued for some reason, don't store before restoring :) +Before=nftables-store.service +# sounds reasonable to have firewall up before any of the services go up +Before=network-pre.target +Wants=network-pre.target + +[Service] +Type=oneshot +ExecStart=/usr/libexec/nftables/nftables.sh load /var/lib/nftables/rules-save + +[Install] +WantedBy=basic.target diff --git a/net-firewall/nftables/files/systemd/nftables-store.service b/net-firewall/nftables/files/systemd/nftables-store.service new file mode 100644 index 000000000000..373f8b947d7d --- /dev/null +++ b/net-firewall/nftables/files/systemd/nftables-store.service @@ -0,0 +1,11 @@ +[Unit] +Description=Store nftables firewall rules +Before=shutdown.target +DefaultDependencies=No + +[Service] +Type=oneshot +ExecStart=/usr/libexec/nftables/nftables.sh store /var/lib/nftables/rules-save + +[Install] +WantedBy=shutdown.target diff --git a/net-firewall/nftables/nftables-9999.ebuild b/net-firewall/nftables/nftables-1.1.1-r1.ebuild similarity index 89% copy from net-firewall/nftables/nftables-9999.ebuild copy to net-firewall/nftables/nftables-1.1.1-r1.ebuild index ecfd85b0e138..14a775b021a2 100644 --- a/net-firewall/nftables/nftables-9999.ebuild +++ b/net-firewall/nftables/nftables-1.1.1-r1.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2024 Gentoo Authors +# Copyright 1999-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -7,7 +7,7 @@ DISTUTILS_OPTIONAL=1 DISTUTILS_USE_PEP517=setuptools PYTHON_COMPAT=( python3_{10..13} ) VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/netfilter.org.asc -inherit edo linux-info distutils-r1 systemd verify-sig +inherit eapi9-ver edo linux-info distutils-r1 systemd verify-sig DESCRIPTION="Linux kernel firewall, NAT and packet mangling tools" HOMEPAGE="https://netfilter.org/projects/nftables/"; @@ -147,7 +147,8 @@ src_install() { newinitd "${FILESDIR}"/${PN}-mk.init-r1 ${PN} keepdir /var/lib/nftables - systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service + systemd_dounit "${FILESDIR}"/systemd/${PN}-load.service + systemd_dounit "${FILESDIR}"/systemd/${PN}-store.service if use python ; then pushd py >/dev/null || die @@ -193,7 +194,7 @@ pkg_postinst() { local save_file save_file="${EROOT}"/var/lib/nftables/rules-save - # In order for the nftables-restore systemd service to start + # In order for the nftables-load systemd service to start # the save_file must exist. if [[ ! -f "${save_file}" ]]; then ( umask 177; touch "${save_file}" ) @@ -206,13 +207,17 @@ pkg_postinst() { fi if has_version 'sys-apps/systemd'; then + if ver_replacing -lt "1.1.1-r1"; then + elog "Starting with ${PN}-1.1.1-r1, the ${PN}-restore.service has" + elog "been split into ${PN}-load.service and ${PN}-store.service." + elog + fi elog "If you wish to enable the firewall rules on boot (on systemd) you" - elog "will need to enable the nftables-restore service." - elog " 'systemctl enable ${PN}-restore.service'" + elog "will need to enable the nftables-load service." + elog " 'systemctl enable ${PN}-load.service'" elog - elog "If you are creating firewall rules before the next system restart" - elog "the nftables-restore service must be manually started in order to" - elog "save those rules on shutdown." + elog "Enable nftables-store.service if you want firewall rules to be" + elog "saved at shutdown." fi if has_version 'sys-apps/openrc'; then diff --git a/net-firewall/nftables/nftables-9999.ebuild b/net-firewall/nftables/nftables-9999.ebuild index ecfd85b0e138..14a775b021a2 100644 --- a/net-firewall/nftables/nftables-9999.ebuild +++ b/net-firewall/nftables/nftables-9999.ebuild @@ -1,4 +1,4 @@ -# Copyright 1999-2024 Gentoo Authors +# Copyright 1999-2025 Gentoo Authors # Distributed under the terms of the GNU General Public License v2 EAPI=8 @@ -7,7 +7,7 @@ DISTUTILS_OPTIONAL=1 DISTUTILS_USE_PEP517=setuptools PYTHON_COMPAT=( python3_{10..13} ) VERIFY_SIG_OPENPGP_KEY_PATH=/usr/share/openpgp-keys/netfilter.org.asc -inherit edo linux-info distutils-r1 systemd verify-sig +inherit eapi9-ver edo linux-info distutils-r1 systemd verify-sig DESCRIPTION="Linux kernel firewall, NAT and packet mangling tools" HOMEPAGE="https://netfilter.org/projects/nftables/"; @@ -147,7 +147,8 @@ src_install() { newinitd "${FILESDIR}"/${PN}-mk.init-r1 ${PN} keepdir /var/lib/nftables - systemd_dounit "${FILESDIR}"/systemd/${PN}-restore.service + systemd_dounit "${FILESDIR}"/systemd/${PN}-load.service + systemd_dounit "${FILESDIR}"/systemd/${PN}-store.service if use python ; then pushd py >/dev/null || die @@ -193,7 +194,7 @@ pkg_postinst() { local save_file save_file="${EROOT}"/var/lib/nftables/rules-save - # In order for the nftables-restore systemd service to start + # In order for the nftables-load systemd service to start # the save_file must exist. if [[ ! -f "${save_file}" ]]; then ( umask 177; touch "${save_file}" ) @@ -206,13 +207,17 @@ pkg_postinst() { fi if has_version 'sys-apps/systemd'; then + if ver_replacing -lt "1.1.1-r1"; then + elog "Starting with ${PN}-1.1.1-r1, the ${PN}-restore.service has" + elog "been split into ${PN}-load.service and ${PN}-store.service." + elog + fi elog "If you wish to enable the firewall rules on boot (on systemd) you" - elog "will need to enable the nftables-restore service." - elog " 'systemctl enable ${PN}-restore.service'" + elog "will need to enable the nftables-load service." + elog " 'systemctl enable ${PN}-load.service'" elog - elog "If you are creating firewall rules before the next system restart" - elog "the nftables-restore service must be manually started in order to" - elog "save those rules on shutdown." + elog "Enable nftables-store.service if you want firewall rules to be" + elog "saved at shutdown." fi if has_version 'sys-apps/openrc'; then
