You are not logged in.
- Topics: Active | Unanswered
#1 2021-12-14 10:41:06
- schard
- Forum Moderator
- From: Hannover
- Registered: 2016-05-06
- Posts: 2,519
- Website
[SOLVED] nftables.service does not flush tables before restarting
I discovered, that with the most recent nftables.service unit from the up-to-date package, the tables are not getting flushed on a reload, resulting in duplicate entries after
# systemctl restart nftables.serviceI hacked around this via "systemctl edit":
$ cat /etc/systemd/system/nftables.service.d/override.conf
[Service]
ExecStop=/usr/bin/nft flush ruleset
RemainAfterExit=trueMy question now is, whether I should open a bug report on this, or is this, for reasons I cannot grasp, intended behaviour?
Edit:
As a fun-fact, Debian does it as I expect it to be done:
[Unit]
Description=nftables
Documentation=man:nft(8) http://wiki.nftables.org
Wants=network-pre.target
Before=network-pre.target shutdown.target
Conflicts=shutdown.target
DefaultDependencies=no
[Service]
Type=oneshot
RemainAfterExit=yes
StandardInput=null
ProtectSystem=full
ProtectHome=true
ExecStart=/usr/sbin/nft -f /etc/nftables.conf
ExecReload=/usr/sbin/nft -f /etc/nftables.conf
ExecStop=/usr/sbin/nft flush ruleset
[Install]
WantedBy=sysinit.targetLast edited by schard (2021-12-14 11:44:01)
Inofficial first vice president of the Rust Evangelism Strike Force
Offline
#2 2021-12-14 11:13:33
- GeorgeJP
- Member
- From: Czech Republic
- Registered: 2020-01-28
- Posts: 189
Re: [SOLVED] nftables.service does not flush tables before restarting
If I remember, in some version not so far ago were requiered to include
flush rulesetas first command to
/etc/nftables.confEDIT: from pacman.log:
[2021-07-29T00:00:36+0200] [PACMAN] Running 'pacman -Syu'
[2021-07-29T00:00:36+0200] [PACMAN] synchronizing package lists
[2021-07-29T00:00:36+0200] [PACMAN] starting full system upgrade
[2021-07-29T00:40:16+0200] [PACMAN] Running 'pacman -Syu'
[2021-07-29T00:40:16+0200] [PACMAN] synchronizing package lists
[2021-07-29T00:40:16+0200] [PACMAN] starting full system upgrade
[2021-07-29T00:40:17+0200] [ALPM] transaction started
[2021-07-29T00:40:17+0200] [ALPM] warning: /etc/nftables.conf installed as /etc/nftables.conf.pacnew
[2021-07-29T00:40:17+0200] [ALPM] upgraded nftables (1:0.9.9-1 -> 1:0.9.9-6)
[2021-07-29T00:40:17+0200] [ALPM-SCRIPTLET] ==> Stopping/restarting the nftables service does NOT flush the ruleset anymore.
[2021-07-29T00:40:17+0200] [ALPM-SCRIPTLET] ==> The nftables.conf file requires a delete/flush directive to be restarted.
[2021-07-29T00:40:17+0200] [ALPM-SCRIPTLET] ==> See examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples.
[2021-07-29T00:40:17+0200] [ALPM-SCRIPTLET] ==> The nftables service reload has been removed as it is now equivalent to a restart.
[2021-07-29T00:40:17+0200] [ALPM] transaction completedLast edited by GeorgeJP (2021-12-14 11:32:56)
Offline
#3 2021-12-14 11:43:50
- schard
- Forum Moderator
- From: Hannover
- Registered: 2016-05-06
- Posts: 2,519
- Website
Re: [SOLVED] nftables.service does not flush tables before restarting
Thanks for the hint. That's what you get if you skip pacman's log messages.
Inofficial first vice president of the Rust Evangelism Strike Force
Offline