[pkg-netfilter-team] Bug#935857: nftables: improvement for nft settings
Arturo Borrero Gonzalez
arturo at debian.org
Wed Aug 28 10:56:06 BST 2019
Control: tags -1 wontfix
On Mon, 26 Aug 2019 20:30:51 -0400 westlake <westlake2012 at videotron.ca> wrote:
> Package: nftables
> Version: 0.9.1-2~bpo10+1
> Severity: important
>
> there's a question on where firewall rules are supposed to be stored
> when it comes to nft on debian,
>
> A user looking at nft's systemd service will notice that rules are
> stored in /etc/nftables.conf
>
> Nftables.conf needs to have the header "#!/usr/sbin/nft -f"
>
> but why not make it simpler for users and instead put the nft command
> outside of this file? .conf files are not supposed to store executables
> at the header, that's non-intuitive and imho not a good idea.
>
> other distributions simply keep rules only in this file without any
> confusing header executable..
>
> this also makes it non-standard , .conf files are not highly not
> regarded to be treated as scripting executables...
>
>
>
The file extension can be arbitrary, i.e, it will work with either .nft or .conf
or .cnf or whatever. File extension is used here only to help understand which
kind of file is this.
The shebang in the top of the file is to allow you to use those files as
executable scripts, i.e, to run them like "./nftables-ruleset.nft" or "bash
nftables-ruleset.nft".
Debian provides by default a /etc/nftables.conf file which you can use to put
your firewall rules, which is in turn read by the systemd service.
I don't see any actionable here, closing bug now.
Thanks for the report though!.
More information about the pkg-netfilter-team
mailing list