1

I have an ansible role (historically inherited) to configure nftables for RHEL8, which I have been trying to make sense of. It is copying a systemd file for nftables.service that has a following stanza:


[Service]
Type=oneshot
RemainAfterExit=yes
StandardInput=null
ProtectSystem=full
ProtectHome=true
ExecStart=/sbin/nft -f /etc/sysconfig/nftables.conf
ExecReload=/sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";'
ExecStop=/sbin/nft flush ruleset

I'm trying to understand the difference between what ExecStart is doing, vs ExecReload The execstart seems straightforward enough - its running the config atomically via the -f flag. But I dont understand how this is different from ExecReload. Is /sbin/nft 'flush ruleset; include "/etc/sysconfig/nftables.conf";' not atomic?

The content of /etc/sysconfig/nftables.conf is as follows:

#!/usr/sbin/nft -f

# clean
flush ruleset

include "/etc/nftables/defines.nft"

table inet filter {
        chain global {
                # 005 state management
                ct state established,related accept
                ct state invalid drop
         }
        include "/etc/nftables/sets_role_haproxy_cvp_apps.nft"
        include "/etc/nftables/sets.nft"
        include "/etc/nftables/helpers.nft"
        include "/etc/nftables/filter-forwared.nft"
        include "/etc/nftables/filter-input.nft"
        include "/etc/nftables/filter-output.nft"
        include "/etc/nftables/input_role_haproxy_cvp_apps.nft"

}

So both ExecStart and ExecReload to me looks like doing the same thing - both flushes the ruleset. The author of the ansible commented that "Reload will avoid to loose Nftables rulebase if an invalid syntax is added". I cant understand though how it is doing this if its flushing the rulesets? Can someone kindly explain?

Thanks J

JaneD
  • 65
  • 4
  • Related: https://serverfault.com/questions/966003/does-netfilter-persistent-reload-open-up-the-gates-for-half-a-moment – anx May 20 '21 at 12:27
  • Thanks but not sure how this is related - my question is regarding nftables? – JaneD May 20 '21 at 21:37
  • What I hope is true (but have not seen confirmed in docs) is that regardless of whether I call `iptables-nft` or `nft`, I will end up with the very same kernel code (`nf_tables_commit()`) activating *the entire batch: including the `flush`* - or bailing out entirely: never applying partial rulesets. – anx May 20 '21 at 22:40
  • Ah interesting, so are you saying that its always an atomic operation regardless if you arent using the `f` flag? – JaneD May 20 '21 at 23:59
  • Just to be clear here: the `nft -f` flags does *not* stand for *flush*. The `-f` flags switches between reading the argument as an nft command and using the argument as a filename to read nft commands from. – anx May 21 '21 at 11:35
  • 1
    YOu can test it.`nft flush ruleset` then `nft add table foo` then: `nft 'flush ruleset; bar'` . `bar` triggers a syntax error. Result of experiment: output of `nft list ruleset`. Oh that's on production? No problem, do `ip netns add experiment` + `ip netns exec experiment bash` before. – A.B May 23 '21 at 19:01
  • Anyway for an idempotency at table level (rather than ruleset level), `nft flush ruleset` (and thus nftables.service) should be avoided entirely. Reloading nftables will likely kill firewalld's settings at least temporarily (until this is backported: https://git.kernel.org/pub/scm/linux/kernel/git/stable/linux.git/commit/?h=linux-5.12.y&id=6001a930ce0378b62210d4f83583fc88a903d89d ) – A.B May 23 '21 at 19:06

0 Answers0