main/nftables: change default save location to /etc/firewall.nft

This is a configuration and so should be stored in /etc. Also nftables
format is very well suited for hand-written firewall configuration, not
just for dumping current rules managed manually by ntf tool or generated
by some shell script.

However, to be consistent with iptables package, I kept save_on_stop
enabled by default.

4 files changed, 20 insertions, 4 deletions

diff --git a/main/nftables/APKBUILD b/main/nftables/APKBUILD
index f8166c3412..27e5542bba 100644
--- a/main/nftables/APKBUILD
+++ b/main/nftables/APKBUILD
@@ -10,6 +10,7 @@ arch="all"
 license="GPL-2.0-or-later"
 makedepends="libmnl-dev libnftnl-dev gmp-dev readline-dev
 	ncurses-dev bison flex docbook2x"
+install="$pkgname.post-upgrade"
 subpackages="$pkgname-doc"
 source="http://netfilter.org/projects/$pkgname/files/$pkgname-$pkgver.tar.bz2
 	nftables.confd
@@ -45,5 +46,5 @@ package() {
 }
 
 sha512sums="d3d97be10c2dcd1f15b9998e01254ff11438a2d83922e8b5207b641375ea12bb86ecbe4f9cb21cdf5998ddeb7c42b9e424dcb40a359cf42e06b9437a5ce4f72c  nftables-0.8.3.tar.bz2
-a13e8b55b2ef6df2255e0b190f8dd5b2deb0ab49f8f303b1f11a3df550de41cd71e76cbfd7184d031a24a1d3387262c5d01a8cb8e4a981c8a85d8eb7753be39a  nftables.confd
-a4a9b07f7389f7c66d42af71e6d76b55e940a60f823323344ebe3c2939667c21834c5e52f3fc59b37ea7e234144d48262bd07c86db8aa4195f59f98111548330  nftables.initd"
+4eb1adf003dfcaad65c91af6ca88d91b7904c471aefae67e7d3c2f8e053e1ac196d3437a45d1fed5a855b876a0f1fc58a724e381d2acf1164d9120cadee73eef  nftables.confd
+bfdb7f24a722f9b50303bbdb4e11bfd6e84abb62d1f6de6b579b00f96bd3c65e2f5c7317c0b660f53718bf4f2cdebf0f0ba0f0d37426a35b7afab24adb489389  nftables.initd"
diff --git a/main/nftables/nftables.confd b/main/nftables/nftables.confd
index 41ca06cf05..87fa8f2eae 100644
--- a/main/nftables/nftables.confd
+++ b/main/nftables/nftables.confd
@@ -2,7 +2,7 @@
 
 # Location of file with nftables rules to restore on service start,
 # and save rules to on service stop when $save_on_stop is enabled.
-#rules_file="/var/lib/nftables/rules-save"
+#rules_file="/etc/firewall.nft"
 
 # Options to pass to nft on save.
 #save_options="-n"
diff --git a/main/nftables/nftables.initd b/main/nftables/nftables.initd
index 56d31c3bba..13b2bc70fd 100644
--- a/main/nftables/nftables.initd
+++ b/main/nftables/nftables.initd
@@ -13,7 +13,7 @@ description_panic="Immediately drop all packets on all interfaces."
 description_reload="Clear current rulesets and load rulesets from the saved ruleset files."
 
 # Uppercase variables are there for backward compatibility.
-: ${rules_file:=${NFTABLES_SAVE:="/var/lib/nftables/rules-save"}}
+: ${rules_file:=${NFTABLES_SAVE:="/etc/firewall.nft"}}
 : ${save_options:=${SAVE_OPTIONS:="-n"}}
 : ${save_on_stop:=${SAVE_ON_STOP:="yes"}}
 : ${enable_forwarding:="no"}
diff --git a/main/nftables/nftables.post-upgrade b/main/nftables/nftables.post-upgrade
new file mode 100644
index 0000000000..cab85d0923
--- /dev/null
+++ b/main/nftables/nftables.post-upgrade
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+ver_new="$1"
+ver_old="$2"
+
+# Copy rules file to the new default location, to be sure that we will
+# not break existing installations.
+if [ "$(apk version -t "$ver_old" "0.8.3-r1")" = "<" ]; then
+	old_file='/var/lib/nftables/rules-save'
+	new_file='/etc/nftables.nft'
+
+	if [ -f "$old_file" ] && [ ! -f "$new_file" ]; then
+		cp -a "$old_file" "$new_file"
+	fi
+fi