nftables init script

stultumanto · 2024-01-12 03:35:10

I thought other users attempting to build a firewall with nftables might find this information useful. While the nftables package doesn't install an init script on Devuan, there is a sample init script located under the installed documentation at /usr/share/doc/nftables/examples/sysvinit. However, it may go away soon, according to the README:

Given Debian default init system is systemd, I have no intention to support sysvinit apart of providing this example file... I will probably drop all sysvinit-related stuff like this in the future.

The script needs to be edited to add the appropriate runlevels, but otherwise, it seems to work fine as-is. I copied it to /etc/init.d/, and installed it with update-rc.d. After rebooting, my nftables.conf was loaded automatically.

quickfur · 2024-01-12 03:49:54

I ran into the same problem when I first switched to Devuan, I solved it by inserting a call to nft in one of the scripts in /etc/init.d. I didn't know there was a sample script already available 😅 But it wasn't too hard to figure out the exact command needed; it's listed in the systemd unit file, just gotta copy it somewhere sysvinit will run.

alexkemp · 2024-01-12 10:18:38

@stultumanto, @quickfur:

In that case, why not copy the script-text here + location. (TIA)

boughtonp · 2024-01-12 13:52:45

How does that script compare to the nftables init script which is already in the orphan-sysvinit-scripts package?

...

edit:
Looking at the nftables.init script the answer seems to be: the official-but-going-away script has better logging with a verbose option, and correctly sets name/desc variables, but not sure if there's any material difference...?

Last edited by boughtonp (2024-01-12 14:10:40)

Marjorie · 2024-01-12 15:26:16

This is the /etc/init.d/nftables I have from several year back when I set up my new mailserver.

It's always worked to date.

Author was: Arturo Borrero Gonzalez <arturo@debian.org>

I think it differs from the current official version in default start and stop.
The 'official' version now has:

# Default-Start:
# Default-Stop:      0 1 2 3 4 5 6

mine is here:

#!/bin/sh
### BEGIN INIT INFO
# Provides:          nftables
# Required-Start:    $local_fs $network $remote_fs $syslog
# Required-Stop:     $local_fs $remote_fs $syslog
# Default-Start:     S	
# Default-Stop:      0 6
# Short-Description: nftables firewall service
# Description:       nftables firewall system service
### END INIT INFO

# Author: Arturo Borrero Gonzalez <arturo@debian.org>

# Do NOT "set -e"

CONF=/etc/nftables.conf

# PATH should only include /usr/* if it runs after the mountnfs.sh script
PATH=/sbin:/usr/sbin:/bin:/usr/bin
DESC="firewall service"
NAME=nftables
BIN=/usr/sbin/nft
SCRIPTNAME=/etc/init.d/$NAME

# Exit if the package is not installed
[ -x "$BIN" ] || exit 0

# Load the VERBOSE setting and other rcS variables
. /lib/init/vars.sh

# Define LSB log_* functions.
# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
# and status_of_proc is working.
. /lib/lsb/init-functions

VERBOSE=yes

do_start()
{
	# Return
	#  0 if start OK
	#  2 if start NOK

	# nft v0.4 return 0 if ENOENT $CONF
	if [ ! -r "$CONF" ] ; then
		echo "E: No such $NAME $DESC config file $CONF" >&2
		return 2
	fi

	$BIN -f $CONF || return 2
}

do_stop()
{
	# Return
	#   0 if stopped
	#   1 if already stopped
	#   2 if could not be stopped
	if ! do_status ; then
		$BIN flush ruleset || return 2
	fi
}

do_status()
{
	# Return
	#   0 if no rules
	#   1 if rules
	if [ "$($BIN list ruleset 2>/dev/null | wc -l)" = "0" ] ; then
		return 0
	fi

	return 1
}

case "$1" in
  start)
	[ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
	do_start
	ret="$?"
	case "$ret" in
		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
	esac
	exit $ret
	;;
  restart|force-reload)
	[ "$VERBOSE" != no ] && log_daemon_msg "Restarting $DESC" "$NAME"
	do_start
	ret="$?"
	case "$ret" in
		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
	esac
	exit $ret
	;;
  stop)
	[ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
	do_stop
	ret="$?"
	case "$ret" in
		0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
		2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
	esac
	exit $ret
	;;
  status)
	if ! do_status ; then
		[ "$VERBOSE" != no ] && log_daemon_msg "Status of ${DESC}: rules loaded" "$NAME"
		[ "$VERBOSE" != no ] && log_end_msg 0
		exit 0
	else
		[ "$VERBOSE" != no ] && log_daemon_msg "Status of ${DESC}: no rules loaded" "$NAME"
		[ "$VERBOSE" != no ] && log_end_msg 1
		exit 1
	fi
	;;
  *)
	echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
	exit 3
	;;
esac

Last edited by Marjorie (2024-01-12 15:32:42)

quickfur · 2024-01-12 15:27:39

Here's the snippet. It's really just that one line that runs nft, the if statement is just a safety catch to detect the absence of systemd. I put this in /etc/init.d/networking but in theory it could go in its own script.

	if [ ! -d /run/systemd/system ] ; then
		/usr/sbin/nft -f /etc/nftables.conf
	fi

I wasn't aware of any environment variables that need to be set; I guess my use case was relatively simple so I didn't need them. But YMMV.

stultumanto · 2024-01-12 22:34:18

I think it differs from the current official version in default start and stop.

Right, and that was the only part I had to edit. If you used the current script as-is, it never actually loads your ruleset. I'm not sure why he set it up that way, maybe to force you to actually read it before using it?

Another thing that might trip some people up is the fact that 'service nftables status' doesn't actually print anything, the way a lot of service scripts do. It just sets the exit value, so you will need to check that somehow. For example, this will give you a typical status message:

printf "nftables is "; if service nftables status; then printf "running.\n"; else printf "stopped.\n"; fi

Of course, you can always modify the init script to print a status message automatically.

Marjorie · 2024-01-12 22:57:01

I thought I'd already posted on this at least once in the distant past in another thread.

And yes I had, covering the main issue of finding a script that worked.

https://dev1galaxy.org/viewtopic.php?pid=34465#p34465 posted 7th Feb 2022 17:05:55

As HOAS says UFW still accesses the nftables back-end (which uses the nftables kernel module) through an iptables translation layer.
If you want to run nftables commands natively you need to do as HOAS suggest.
If you have Chimaera (or above) then use the nftables init script provided by orphan-sysvinit-scripts.
If you have Beowulf or earlier then there is no orphan-sysvinit-scripts. Having installed nftables and put the commands you want run in the config file you need to copy the example file /usr/share/doc/nftables/examples/sysvinit/nftables.init to /etc/init.d/nftables, change the Default-Start and Default-Stop lines (lines 6 and 7) and then make the init file executable by root.
Change the lines:
# Default-Start:
# Default-Stop: 0 1 2 3 4 5 6
to:
# Default-Start: S
# Default-Stop: 0 6
Then run
update-rc.d nftables defaults
as described by HOAS.
This will then read the config file and start nftables at boot.

stultumanto · 2024-01-12 23:23:40

Sorry Marjorie, I'm not sure why I didn't see your post when I searched for help on this issue. I'm glad you went ahead and posted the whole script in this thread, since the maintainer has said he might remove it from future versions.

Edit to add: I see you also said this nftables init script is included in recent versions of orphan-sysvinit-scripts. I'm not familiar with that package, but I just read the description, and it sounds as if it should install the script for you automatically when you install the nftables package.

Last edited by stultumanto (2024-01-13 01:26:39)

Marjorie · 2024-01-15 11:02:33

To be honest I too find searching the forum archive for something can be hard - what would be nice, for me, is the ability to surface just the relevant posts when you search by keyword and author rather than the whole threads that include those posts. It's always worth asking on the forum for solutions at the start - its quite possible someone may remember how a problem has been solved before you are forced to do it all yourself.

davide · 2024-04-09 09:46:24

Are you sure the init script with this LSB header causes the script to run at boot, rather than merely giving the impression that it does?

### BEGIN INIT INFO
# Provides:          nftables
# Required-Start:    $local_fs $network $remote_fs $syslog
# Required-Stop:     $local_fs $remote_fs $syslog
# Default-Start:     S	
# Default-Stop:      0 6
# Short-Description: nftables firewall service
# Description:       nftables firewall system service
### END INIT INFO

For reasons unknown, none of my Debians run the script at boot with

# Default-Start: S

I assume the issue may also exist on Devuan. This seems to be a general problem with all init scripts under Debian whose "Default-Start" tag is set to "S". For example, I created the test file

  /etc/init.d/test.sh

with the following content:

  #!/bin/bash

  ### BEGIN INIT INFO
  # Provides:          test
  # Required-Start:
  # Required-Stop:
  # Should-Start:
  # Default-Start:     S
  # Default-Stop:      0 1 6
  # Short-Description: Test
  # Description: Test
  ### END INIT INFO

  echo $(date) "$@" >>/root/test.txt

and I enabled it with:

  update-rc.d test.sh defaults

which results in these, and only these, rc symlinks being created:

  rc0.d/K01test.sh
  rc1.d/K01test.sh
  rc6.d/K01test.sh
  rcS.d/S01test.sh

After rebooting the system from an empty '/root/test.txt' file, the contents of
this file become:

  Tue Apr 9 01:26:50 CEST 2024 stop

in which only one line is logged, corresponding to the time when I issued the
reboot command, with no follow-up lines after the reboot.

Last edited by davide (2024-04-09 09:47:21)

ralph.ronnquist · 2024-04-09 11:39:20

Maybe try also with

# Required-Start: $local_fs

as otherwise the root filesystem might still be mounted read-only when the output is attempted.

davide · 2024-04-09 13:43:07

Adding

# Required-Start: $local_fs

to the test script makes it work as intended, my bad:

# cat /root/test.txt
Tue Apr 9 15:34:39 CEST 2024 stop
Tue Apr 9 15:34:56 CEST 2024 start

But still I don't understand why nftables does not load the ruleset on boot with:

# Default-Start: S

but it does with:

# Default-Start: 2 3 4 5

Last edited by davide (2024-04-09 13:44:26)

ralph.ronnquist · 2024-04-09 13:47:43

Possibly because it depends on $syslog which isn't started in the rcS collection.

The officially official Devuan Forum!

#1 2024-01-12 03:35:10

nftables init script

#2 2024-01-12 03:49:54

Re: nftables init script

#3 2024-01-12 10:18:38

Re: nftables init script

#4 2024-01-12 13:52:45

Re: nftables init script

#5 2024-01-12 15:26:16

Re: nftables init script

#6 2024-01-12 15:27:39

Re: nftables init script

#7 2024-01-12 22:34:18

Re: nftables init script

#8 2024-01-12 22:57:01

Re: nftables init script

#9 2024-01-12 23:23:40

Re: nftables init script

#10 2024-01-15 11:02:33

Re: nftables init script

#11 2024-04-09 09:46:24

Re: nftables init script

#12 2024-04-09 11:39:20

Re: nftables init script

#13 2024-04-09 13:43:07

Re: nftables init script

#14 2024-04-09 13:47:43

Re: nftables init script

Board footer