Questions about nftables package and usage
I'm slowly working up to replacing my current iptables based router/firewall with nftables. I've never used nftables before now. The Alpine package confuses me a little and I'm not sure if its me or possibly issues with the package, or both.
First is the save
function in /etc/init.d/nftables
. In this comment #14058 (comment 251822) @jirutka gave some examples of how to drop config snippets in /etc/nftables.d/
which are included on service restart by the default rules file at /etc/nftables.nft
. That works fine until you do rc-service nftables save
which overwrites the rules file with the entire running ruleset, destroying any pretty formatting in the config file and breaking the snippet include functionality for future changes.
I think the obvious solution here is, "don't do that". If I want to use the default system rules file (with manual edits) and have snippets in /etc/nftables.d/
which get included on every service reload, I should never use rc-service nftables save
. Changes should be done by manually editing the main rules file or a snippet file and then restarting the service.
If I don't care about the snippets and just want to use a single rules file, then using rc-service nftables save
is probably ok. Changes I guess would be done by nft commands and rc-service nftables save
or editing the monolithic rules file and restarting the service.
While looking the files over I also noticed that the $save_options
variable referenced in the openrc files doesn't seem to be used anywhere?:
https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/nftables/nftables.initd#L18
https://gitlab.alpinelinux.org/alpine/aports/-/blob/master/main/nftables/nftables.confd#L8
The /etc/conf.d/nftables
file does at least mention that the rules file might be overwritten:
# Save state on stopping nftables (this will overwrite $rules_file).
#save_on_stop="no"
But it doesn't mention that includes from /etc/nftables.d/
won't work for future changes to files in that directory if you enable save_on_stop.
It seems like the package wants to nudge users in the direction of a main rules file and additional rule snippets in /etc/nftables.d/
. If that's the intent, then maybe it makes sense to remove the save functionality completely so users know that they always have to edit files to get persistent rules? Users that don't want to follow that work flow can just do their own thing.