On Fri, Dec 01, 2023 at 09:04:59PM +0900, Olaf Meeuwissen wrote:
> Hi,
>
> Joel Roth via Dng <dng@???> writes:
>
> > Hi,
> >
> > I made a script to load rules for an nft firewall.
> >
> > It's executable, runs from the command line
> > with start/stop/status options.
> >
> > But it doesn't start during system boot.
>
> I did the same and it has been working fine for me since 2022-08-07
> according to my logs. That includes starting during system boot.
>
> I've attached my script for reference. The salient part in it is in the
> INIT INFO section where I have
>

>   ### BEGIN INIT INFO
>   # Provides:          nftables
>   # X-Start-Before:    $network
>   # Required-Start:    $local_fs $syslog
>   # Required-Stop:     $local_fs $syslog
>   # Default-Start:     S
>   # Default-Stop:      0 6
>   # Short-Description: nftables firewall service
>   # Description:       nftables firewall system service
>   ### END INIT INFO

Thanks for this.

> > I created symlinks with update-rc.d
> > and links appear in the rc*.d directories
> > where * is 2,3,4,5.
>
> I don't remember what I used to create the symlinks, I think used
> insserv, but I have
>
> /etc/rc0.d/K01nftables
> /etc/rc6.d/K01nftables
> /etc/rcS.d/S12nftables
>
> The numbers in the [KS]*nftables filenames may differ depending on what
> other links you already have.

The K links are for stopping (killing) services. The
official way to disable a service is to rename all the
S links for that service to K.

> The script expects the configuration in
>
> CONF=/etc/nftables.conf
>
> I've based mine off
>
> /usr/share/doc/nftables/examples/workstation.nft

That's where mine is from. The init script changes the
adapter name to the first wifi device found. That way I can
share the same service script and firewall script between my
desktop and laptop.

> > Also, I couldn't find evidence in any log files.
> > There was no /var/log/firewall, nothing in /var/boot.
>
> nftables does not start a daemon, it sets up the rules for use by the
> kernel's NetFilter Tables. Unless you add rules that log anything,
> nothing will get logged. Any logging rules you add will log in
> /var/log/kern.log, IIRC.

> For reference, the etckeeper commit message when I added this has
>
> network: Integrate nftables firewall service in init process
>
> The init script and configuration files have been adapted from the
> examples included in the nftables package. LSB headers have been
> changed so the script runs before networking is started. Logging
> has been updated so this can be verified in the logs.
>
> so if you decide to use it, you be able to find the init script's log
> messages in your logs provided you have
>
> VERBOSE=yes
>
> in /etc/default/rcS.

That's good to know. I did reason that log_action_msg() in
the init script might log its message somewhere.

> BTW, I'm using runit-init but believe that sysvinit will behave the
> same.
>
> > TIA for any suggestions.
>
> Hope this helps,

Yes, very much to the point.

> --
> Olaf Meeuwissen



--
Joel Roth