[Bug 1154] Allow include statement to operate on directories and/or wildcards

[bugzilla-daemon at netfilter.org]

https://bugzilla.netfilter.org/show_bug.cgi?id=1154

--- Comment #3 from hoxu at users.sf.net ---
(In reply to Pablo Neira Ayuso from comment #2)
> We can adopt "directory include" means take all files there from there. No
> need for explicit wildcard. But I would enforce a check for the trailing
> slash probably? So we make explicit for the reader/reviewer that someone is
> importing a directory, not just a file.

Either that, or a separate includedir directive for clarity?

For comparison, here is how sudo does directory inclusion [1]:


```
The #includedir directive can be used to create a sudo.d direc‐
tory that the system package manager can drop sudoers rules
into as part of package installation.  For example, given:

    #includedir /etc/sudoers.d

sudo will read each file in /etc/sudoers.d, skipping file names
that end in ‘~’ or contain a ‘.’ character to avoid causing
problems with package manager or editor temporary/backup files.
Files are parsed in sorted lexical order.  That is,
/etc/sudoers.d/01_first will be parsed before
/etc/sudoers.d/10_second.  Be aware that because the sorting is
lexical, not numeric, /etc/sudoers.d/1_whoops would be loaded
after /etc/sudoers.d/10_second.  Using a consistent number of
leading zeroes in the file names can be used to avoid such
problems.
```


You may want to consider filtering at least hidden files (.*), which would
nicely exclude vim swapfiles. *~ would do likewise for emacs backup files.

I also like the way debian apache2 does snippet inclusion [2]:


```
# Include generic snippets of statements                                        
IncludeOptional conf-enabled/*.conf
```


Why I'm mentioning apache is to make you consider whether nftables upstream
wants to perhaps nudge downstreams towards - for example - the following
convention:

* /etc/nftables.conf ships with "Include nftables/rules-enabled/*"
* Other packages can ship with suggested rules in /etc/nftables/rules-available
* System admin can cherry-pick rules to symlink to /etc/nftables/rules-enabled
(opening ports by installing a package by default wouldn't work)

Just some random thoughts, in case someone will get brilliant ideas about this.

Personally I would be just happy with a glob include, or failing that, a
directory include.


[1] https://linux.die.net/man/5/sudoers
[2] https://httpd.apache.org/docs/2.4/mod/core.html#includeoptional

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20170609/873e6942/attachment.html>