nftables default rules package

[Andre Rodier]

Hi,

When installing nftables from scratch on debian, it creates an empty (almost) file /etc/nftables.conf.

Of course, I had to modify the file to my needs, and I know it is not overwritten by a package update.

Howerver, IMHO, it would be better to create an empty directory, for instance /etc/nftables or /etc/mftables/rules,
and to include this directory from /etc/nftables.conf.

That way, we could place any rules in a directory, which is the way nftables works better, compared to say, iptables.

Thanks for your insights.

André

[Michel Verdier]

Le 11 décembre 2022 Andre Rodier a écrit :

> Howerver, IMHO, it would be better to create an empty directory, for instance /etc/nftables or /etc/mftables/rules,
> and to include this directory from /etc/nftables.conf.
>
> That way, we could place any rules in a directory, which is the way nftables works better, compared to say, iptables.

As I understand, nftables.conf serves to save setup for next boot with :
nft -s list ruleset > /etc/nftables.conf
And this save needs to not be automatic to prevent erroneous rules to be kept
after reboot.
So if /etc/nftables/rules/ is included in /etc/nftables.conf it implies
to play elsewhere and save separate files in /etc/nftables/rules/ after
testing.

But a default /etc/nftables/rules/ would be great with some defaults, for
example the basics found on
https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_workstation
and/or
https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_server