View Issue Details

Jump to NotesJump to History
IDProjectCategoryView StatusDate SubmittedLast Update
0006304Rocky-Linux-9nftablespublic2024-04-15 13:072024-04-15 13:07
ReporterFerdinand G Assigned To 
PrioritynormalSeverityminorReproducibilityalways
Status newResolutionopen 
Summary0006304: syntax errors in nftables config leaves system without firewall upon reloading via systemctl
DescriptionWhen a user edits the firewall configuration contained in nftables.conf and introduces a syntax error, the firewall will fail to load correctly upon reloading the configuration using sytemctl. This leaves the system without any kind of firewall.

The desired behaviour would be to check for syntax errors before trying to reload the firewall. If errors are found, the existing ruleset should not be flushed but instead be kept in place.

This behaviour could be easily achieved by checking for the correct syntax before trying to load the new configuration file, e.g.:

#!/bin/env sh

CONFIG="/etc/sysconfig/nftables.conf"
NFT="/sbin/nft"

if [[ $1 == "start" ]]; then

        if ! ${NFT} -c -f ${CONFIG}; then
                echo ">>>"
                echo ">>> ERRORS in ${CONFIG}"
                echo ">>> NOT LOADING FIREWALL"
                echo ">>>"
                exit 0
        else
                ${NFT} 'flush ruleset; include "'${CONFIG}'";'
        fi

elif [[ $1 == "stop" ]]; then

        if ! ${NFT} -c -f ${CONFIG}; then
                echo ">>>"
                echo ">>> ERRORS in ${CONFIG}"
                echo ">>> NOT STOPPING FIREWALL"
                echo ">>>"
                exit 0
        else
                ${NFT} 'flush ruleset'
        fi
fi


The above script might be run as a drop-in for ExecStart, ExecStop and ExecReload. One might add an override config like so:
[Service]
Type=forking
ExecStart=
ExecReload=
ExecStop=
ExecStart=/opt/bin/nftables.sh start
ExecReload=/opt/bin/nftables.sh start
ExecStop=/opt/bin/nftables.sh stop


Steps To Reproduce- edit nftables.conf and introduce some syntax error
- reload nftables using "systemctl restart nftables"
- --> the system now does not have a running firewall as can be observed by typing 'nft list table inet filter'
TagsNo tags attached.

Activities

There are no notes attached to this issue.

Issue History

Date Modified Username Field Change
2024-04-15 13:07 Ferdinand G New Issue