Request for system-files for nftables


#1

nftables-pk is my package of nftables Linux firewall management tools. As a low-level network management utility it requires the following plugs, preferably auto-connected:

  • network-control
  • firewall-control

In addition, to be able to serve as a drop-in replacement for native nftables packages it also requires read-only access to /etc/nftables, thus plug system-files.

The main motivation for creating this package is that the native nftables package in LTS Linux distributions is hopelessly old and has has many bugs so snaps create a convenient alternative to have the latest package installed on the server.


#2

This is almost certainly better done via a snap layout since there is no guarantee the /etc/nftables on the host is compatible with the nftables in the snap. Eg:

layout:
  /etc/nftables:
    bind: $SNAP/etc/nftables

See Snap layouts for details. If you need /etc/nftables from the host, please describe why it is needed instead of a layout.


#3

firewall-control is obvious for auto-connection, but why does network-control need to be connected? Can you try plugging and connecting firewall-control and then test your snap and provide the policy violations from journalctl?


#4

why does network-control need to be connected

@jdstrand
network-control is also required as it’s using some kind of netlink interface to control the tables and throwing the following access errors without it (and does not work):

Jul 02 10:58:51 pax audit[8715]: AVC apparmor="DENIED" operation="open" profile="snap.nftables-pk.nft" name="/etc/iproute2/rt_realms" pid=8715 comm="nft" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jul 02 10:58:51 pax audit[8715]: AVC apparmor="DENIED" operation="open" profile="snap.nftables-pk.nft" name="/etc/iproute2/group" pid=8715 comm="nft" requested_mask="r" denied_mask="r" fsuid=0 ouid=0
Jul 02 10:58:51 pax audit[8715]: AVC apparmor="DENIED" operation="open" profile="snap.nftables-pk.nft" name="/etc/iproute2/rt_realms" pid=8715 comm="nft" requested_mask="r" denied_mask="r" fsuid=0 ouid=0

#5

This is almost certainly better done via a snap layout

Thanks, didn’t even realize this exists! Just switched the snap to layouts and it seems to work like a charm.