diff options
Diffstat (limited to 'files/nftables')
-rw-r--r-- | files/nftables/Makefile.am | 16 | ||||
-rwxr-xr-x | files/nftables/all-in-one.nft | 36 | ||||
-rwxr-xr-x | files/nftables/arp-filter.nft | 6 | ||||
-rwxr-xr-x | files/nftables/bridge-filter.nft | 7 | ||||
-rwxr-xr-x | files/nftables/inet-filter.nft | 7 | ||||
-rwxr-xr-x | files/nftables/ipv4-filter.nft | 7 | ||||
-rwxr-xr-x | files/nftables/ipv4-mangle.nft | 5 | ||||
-rwxr-xr-x | files/nftables/ipv4-nat.nft | 8 | ||||
-rwxr-xr-x | files/nftables/ipv4-raw.nft | 6 | ||||
-rwxr-xr-x | files/nftables/ipv6-filter.nft | 7 | ||||
-rwxr-xr-x | files/nftables/ipv6-mangle.nft | 5 | ||||
-rwxr-xr-x | files/nftables/ipv6-nat.nft | 8 | ||||
-rwxr-xr-x | files/nftables/ipv6-raw.nft | 6 |
13 files changed, 124 insertions, 0 deletions
diff --git a/files/nftables/Makefile.am b/files/nftables/Makefile.am new file mode 100644 index 00000000..43e30281 --- /dev/null +++ b/files/nftables/Makefile.am @@ -0,0 +1,16 @@ +pkgsysconfdir = ${sysconfdir}/nftables +dist_pkgsysconf_DATA = all-in-one.nft \ + arp-filter.nft \ + bridge-filter.nft \ + inet-filter.nft \ + ipv4-filter.nft \ + ipv4-mangle.nft \ + ipv4-nat.nft \ + ipv4-raw.nft \ + ipv6-filter.nft \ + ipv6-mangle.nft \ + ipv6-nat.nft \ + ipv6-raw.nft + +install-data-hook: + ${SED} -i 's|@sbindir[@]|${sbindir}/|g' ${DESTDIR}${pkgsysconfdir}/* diff --git a/files/nftables/all-in-one.nft b/files/nftables/all-in-one.nft new file mode 100755 index 00000000..4ccc0432 --- /dev/null +++ b/files/nftables/all-in-one.nft @@ -0,0 +1,36 @@ +#!@sbindir@nft -f + +# Here is an example of different families, hooks and priorities in the +# nftables framework, all mixed together. +# +# more examples are located in files/examples in nftables source. +# For up-to-date information please visit https://wiki.nftables.org +# +# This script is mean to be loaded with `nft -f <file>` + +# clear all prior state +flush ruleset + +# native dual stack IPv4 & IPv6 family +include "./inet-filter.nft" + +# netdev family at ingress hook. Attached to a given NIC +include "./netdev-ingress.nft" + +# IPv4 family, typical iptables tables/chains layout +include "./ipv4-filter.nft" +include "./ipv4-mangle.nft" +include "./ipv4-nat.nft" +include "./ipv4-raw.nft" + +# IPv6 family, typical ip6tables tables/chains layout +include "./ipv6-filter.nft" +include "./ipv6-mangle.nft" +include "./ipv6-nat.nft" +include "./ipv6-raw.nft" + +# ARP family, typical arptables tables/chain layout +include "./arp-filter.nft" + +# bridge family, typical ebtables tables/chain layout +include "./bridge-filter.nft" diff --git a/files/nftables/arp-filter.nft b/files/nftables/arp-filter.nft new file mode 100755 index 00000000..8a350b1e --- /dev/null +++ b/files/nftables/arp-filter.nft @@ -0,0 +1,6 @@ +#!@sbindir@nft -f + +table arp filter { + chain input { type filter hook input priority 0; } + chain output { type filter hook output priority 0; } +} diff --git a/files/nftables/bridge-filter.nft b/files/nftables/bridge-filter.nft new file mode 100755 index 00000000..93efe864 --- /dev/null +++ b/files/nftables/bridge-filter.nft @@ -0,0 +1,7 @@ +#!@sbindir@nft -f + +table bridge filter { + chain input { type filter hook input priority -200; } + chain forward { type filter hook forward priority -200; } + chain output { type filter hook output priority 200; } +} diff --git a/files/nftables/inet-filter.nft b/files/nftables/inet-filter.nft new file mode 100755 index 00000000..7be447fd --- /dev/null +++ b/files/nftables/inet-filter.nft @@ -0,0 +1,7 @@ +#!@sbindir@nft -f + +table inet filter { + chain input { type filter hook input priority 0; } + chain forward { type filter hook forward priority 0; } + chain output { type filter hook output priority 0; } +} diff --git a/files/nftables/ipv4-filter.nft b/files/nftables/ipv4-filter.nft new file mode 100755 index 00000000..51c060f6 --- /dev/null +++ b/files/nftables/ipv4-filter.nft @@ -0,0 +1,7 @@ +#!@sbindir@nft -f + +table filter { + chain input { type filter hook input priority 0; } + chain forward { type filter hook forward priority 0; } + chain output { type filter hook output priority 0; } +} diff --git a/files/nftables/ipv4-mangle.nft b/files/nftables/ipv4-mangle.nft new file mode 100755 index 00000000..dba8888c --- /dev/null +++ b/files/nftables/ipv4-mangle.nft @@ -0,0 +1,5 @@ +#!@sbindir@nft -f + +table mangle { + chain output { type route hook output priority -150; } +} diff --git a/files/nftables/ipv4-nat.nft b/files/nftables/ipv4-nat.nft new file mode 100755 index 00000000..6754e5ee --- /dev/null +++ b/files/nftables/ipv4-nat.nft @@ -0,0 +1,8 @@ +#!@sbindir@nft -f + +table nat { + chain prerouting { type nat hook prerouting priority -100; } + chain input { type nat hook input priority 100; } + chain output { type nat hook output priority -100; } + chain postrouting { type nat hook postrouting priority 100; } +} diff --git a/files/nftables/ipv4-raw.nft b/files/nftables/ipv4-raw.nft new file mode 100755 index 00000000..c3fed191 --- /dev/null +++ b/files/nftables/ipv4-raw.nft @@ -0,0 +1,6 @@ +#!@sbindir@nft -f + +table raw { + chain prerouting { type filter hook prerouting priority -300; } + chain output { type filter hook output priority -300; } +} diff --git a/files/nftables/ipv6-filter.nft b/files/nftables/ipv6-filter.nft new file mode 100755 index 00000000..266bed36 --- /dev/null +++ b/files/nftables/ipv6-filter.nft @@ -0,0 +1,7 @@ +#!@sbindir@nft -f + +table ip6 filter { + chain input { type filter hook input priority 0; } + chain forward { type filter hook forward priority 0; } + chain output { type filter hook output priority 0; } +} diff --git a/files/nftables/ipv6-mangle.nft b/files/nftables/ipv6-mangle.nft new file mode 100755 index 00000000..6b3e20dc --- /dev/null +++ b/files/nftables/ipv6-mangle.nft @@ -0,0 +1,5 @@ +#!@sbindir@nft -f + +table ip6 mangle { + chain output { type route hook output priority -150; } +} diff --git a/files/nftables/ipv6-nat.nft b/files/nftables/ipv6-nat.nft new file mode 100755 index 00000000..ce0391df --- /dev/null +++ b/files/nftables/ipv6-nat.nft @@ -0,0 +1,8 @@ +#!@sbindir@nft -f + +table ip6 nat { + chain prerouting { type nat hook prerouting priority -100; } + chain input { type nat hook input priority 100; } + chain output { type nat hook output priority -100; } + chain postrouting { type nat hook postrouting priority 100; } +} diff --git a/files/nftables/ipv6-raw.nft b/files/nftables/ipv6-raw.nft new file mode 100755 index 00000000..504fb3e5 --- /dev/null +++ b/files/nftables/ipv6-raw.nft @@ -0,0 +1,6 @@ +#!@sbindir@nft -f + +table ip6 raw { + chain prerouting { type filter hook prerouting priority -300; } + chain output { type filter hook output priority -300; } +} |