diff options
Diffstat (limited to 'files')
| -rw-r--r-- | files/Makefile.am | 2 | ||||
| -rwxr-xr-x | files/examples/secmark.nft | 87 | ||||
| -rw-r--r-- | files/nftables/Makefile.am | 18 | ||||
| -rw-r--r--[-rwxr-xr-x] | files/nftables/all-in-one.nft | 4 | ||||
| -rw-r--r--[-rwxr-xr-x] | files/nftables/arp-filter.nft | 2 | ||||
| -rw-r--r--[-rwxr-xr-x] | files/nftables/bridge-filter.nft | 2 | ||||
| -rw-r--r--[-rwxr-xr-x] | files/nftables/inet-filter.nft | 2 | ||||
| -rw-r--r--[-rwxr-xr-x] | files/nftables/inet-nat.nft | 2 | ||||
| -rw-r--r--[-rwxr-xr-x] | files/nftables/ipv4-filter.nft | 2 | ||||
| -rw-r--r--[-rwxr-xr-x] | files/nftables/ipv4-mangle.nft | 2 | ||||
| -rw-r--r--[-rwxr-xr-x] | files/nftables/ipv4-nat.nft | 2 | ||||
| -rw-r--r--[-rwxr-xr-x] | files/nftables/ipv4-raw.nft | 2 | ||||
| -rw-r--r--[-rwxr-xr-x] | files/nftables/ipv6-filter.nft | 2 | ||||
| -rw-r--r--[-rwxr-xr-x] | files/nftables/ipv6-mangle.nft | 2 | ||||
| -rw-r--r--[-rwxr-xr-x] | files/nftables/ipv6-nat.nft | 2 | ||||
| -rw-r--r--[-rwxr-xr-x] | files/nftables/ipv6-raw.nft | 2 | ||||
| -rw-r--r--[-rwxr-xr-x] | files/nftables/netdev-ingress.nft | 4 | ||||
| -rw-r--r-- | files/osf/Makefile.am | 2 |
18 files changed, 89 insertions, 52 deletions
diff --git a/files/Makefile.am b/files/Makefile.am deleted file mode 100644 index 4f41b664..00000000 --- a/files/Makefile.am +++ /dev/null @@ -1,2 +0,0 @@ -SUBDIRS = nftables \ - osf diff --git a/files/examples/secmark.nft b/files/examples/secmark.nft new file mode 100755 index 00000000..c923cebb --- /dev/null +++ b/files/examples/secmark.nft @@ -0,0 +1,87 @@ +#!/usr/sbin/nft -f + +# This example file shows how to use secmark labels with the nftables framework. +# This script is meant to be loaded with `nft -f <file>` +# You require linux kernel >= 4.20 and nft >= 0.9.3 +# This example is SELinux based, for the secmark objects you require +# SELinux enabled and a SELinux policy defining the stated contexts +# For up-to-date information please visit https://wiki.nftables.org + + +flush ruleset + +table inet x { + secmark ssh_server { + "system_u:object_r:ssh_server_packet_t:s0" + } + + secmark dns_client { + "system_u:object_r:dns_client_packet_t:s0" + } + + secmark http_client { + "system_u:object_r:http_client_packet_t:s0" + } + + secmark https_client { + "system_u:object_r:http_client_packet_t:s0" + } + + secmark ntp_client { + "system_u:object_r:ntp_client_packet_t:s0" + } + + secmark icmp_client { + "system_u:object_r:icmp_client_packet_t:s0" + } + + secmark icmp_server { + "system_u:object_r:icmp_server_packet_t:s0" + } + + secmark ssh_client { + "system_u:object_r:ssh_client_packet_t:s0" + } + + secmark git_client { + "system_u:object_r:git_client_packet_t:s0" + } + + map secmapping_in { + type inet_service : secmark + elements = { 22 : "ssh_server" } + } + + map secmapping_out { + type inet_service : secmark + elements = { 22 : "ssh_client", 53 : "dns_client", 80 : "http_client", 123 : "ntp_client", 443 : "http_client", 9418 : "git_client" } + } + + chain y { + type filter hook input priority -225; + + # label new incoming packets and add to connection + ct state new meta secmark set tcp dport map @secmapping_in + ct state new meta secmark set udp dport map @secmapping_in + ct state new ip protocol icmp meta secmark set "icmp_server" + ct state new ip6 nexthdr icmpv6 meta secmark set "icmp_server" + ct state new ct secmark set meta secmark + + # set label for est/rel packets from connection + ct state established,related meta secmark set ct secmark + } + + chain z { + type filter hook output priority 225; + + # label new outgoing packets and add to connection + ct state new meta secmark set tcp dport map @secmapping_out + ct state new meta secmark set udp dport map @secmapping_out + ct state new ip protocol icmp meta secmark set "icmp_client" + ct state new ip6 nexthdr icmpv6 meta secmark set "icmp_client" + ct state new ct secmark set meta secmark + + # set label for est/rel packets from connection + ct state established,related meta secmark set ct secmark + } +} diff --git a/files/nftables/Makefile.am b/files/nftables/Makefile.am deleted file mode 100644 index 2a511cd1..00000000 --- a/files/nftables/Makefile.am +++ /dev/null @@ -1,18 +0,0 @@ -pkgsysconfdir = ${sysconfdir}/nftables -dist_pkgsysconf_DATA = all-in-one.nft \ - arp-filter.nft \ - bridge-filter.nft \ - inet-filter.nft \ - inet-nat.nft \ - ipv4-filter.nft \ - ipv4-mangle.nft \ - ipv4-nat.nft \ - ipv4-raw.nft \ - ipv6-filter.nft \ - ipv6-mangle.nft \ - ipv6-nat.nft \ - ipv6-raw.nft \ - netdev-ingress.nft - -install-data-hook: - ${SED} -i 's|@sbindir[@]|${sbindir}/|g' ${DESTDIR}${pkgsysconfdir}/*.nft diff --git a/files/nftables/all-in-one.nft b/files/nftables/all-in-one.nft index d3aa7f37..15ac22e2 100755..100644 --- a/files/nftables/all-in-one.nft +++ b/files/nftables/all-in-one.nft @@ -1,12 +1,10 @@ -#!@sbindir@nft -f - # Here is an example of different families, hooks and priorities in the # nftables framework, all mixed together. # # more examples are located in files/examples in nftables source. # For up-to-date information please visit https://wiki.nftables.org # -# This script is mean to be loaded with `nft -f <file>` +# This script is meant to be loaded with `nft -f <file>` # clear all prior state flush ruleset diff --git a/files/nftables/arp-filter.nft b/files/nftables/arp-filter.nft index 8a350b1e..6e4c6248 100755..100644 --- a/files/nftables/arp-filter.nft +++ b/files/nftables/arp-filter.nft @@ -1,5 +1,3 @@ -#!@sbindir@nft -f - table arp filter { chain input { type filter hook input priority 0; } chain output { type filter hook output priority 0; } diff --git a/files/nftables/bridge-filter.nft b/files/nftables/bridge-filter.nft index 93efe864..f071205e 100755..100644 --- a/files/nftables/bridge-filter.nft +++ b/files/nftables/bridge-filter.nft @@ -1,5 +1,3 @@ -#!@sbindir@nft -f - table bridge filter { chain input { type filter hook input priority -200; } chain forward { type filter hook forward priority -200; } diff --git a/files/nftables/inet-filter.nft b/files/nftables/inet-filter.nft index 7be447fd..bfe43b4f 100755..100644 --- a/files/nftables/inet-filter.nft +++ b/files/nftables/inet-filter.nft @@ -1,5 +1,3 @@ -#!@sbindir@nft -f - table inet filter { chain input { type filter hook input priority 0; } chain forward { type filter hook forward priority 0; } diff --git a/files/nftables/inet-nat.nft b/files/nftables/inet-nat.nft index 52fcdb54..babd7f00 100755..100644 --- a/files/nftables/inet-nat.nft +++ b/files/nftables/inet-nat.nft @@ -1,5 +1,3 @@ -#!@sbindir@nft -f - table inet nat { chain prerouting { type nat hook prerouting priority -100; } chain input { type nat hook input priority 100; } diff --git a/files/nftables/ipv4-filter.nft b/files/nftables/ipv4-filter.nft index 51c060f6..ab62024f 100755..100644 --- a/files/nftables/ipv4-filter.nft +++ b/files/nftables/ipv4-filter.nft @@ -1,5 +1,3 @@ -#!@sbindir@nft -f - table filter { chain input { type filter hook input priority 0; } chain forward { type filter hook forward priority 0; } diff --git a/files/nftables/ipv4-mangle.nft b/files/nftables/ipv4-mangle.nft index dba8888c..07da5bd9 100755..100644 --- a/files/nftables/ipv4-mangle.nft +++ b/files/nftables/ipv4-mangle.nft @@ -1,5 +1,3 @@ -#!@sbindir@nft -f - table mangle { chain output { type route hook output priority -150; } } diff --git a/files/nftables/ipv4-nat.nft b/files/nftables/ipv4-nat.nft index 6754e5ee..2c9ce7c5 100755..100644 --- a/files/nftables/ipv4-nat.nft +++ b/files/nftables/ipv4-nat.nft @@ -1,5 +1,3 @@ -#!@sbindir@nft -f - table nat { chain prerouting { type nat hook prerouting priority -100; } chain input { type nat hook input priority 100; } diff --git a/files/nftables/ipv4-raw.nft b/files/nftables/ipv4-raw.nft index c3fed191..2318e875 100755..100644 --- a/files/nftables/ipv4-raw.nft +++ b/files/nftables/ipv4-raw.nft @@ -1,5 +1,3 @@ -#!@sbindir@nft -f - table raw { chain prerouting { type filter hook prerouting priority -300; } chain output { type filter hook output priority -300; } diff --git a/files/nftables/ipv6-filter.nft b/files/nftables/ipv6-filter.nft index 266bed36..383d075d 100755..100644 --- a/files/nftables/ipv6-filter.nft +++ b/files/nftables/ipv6-filter.nft @@ -1,5 +1,3 @@ -#!@sbindir@nft -f - table ip6 filter { chain input { type filter hook input priority 0; } chain forward { type filter hook forward priority 0; } diff --git a/files/nftables/ipv6-mangle.nft b/files/nftables/ipv6-mangle.nft index 6b3e20dc..88c51e52 100755..100644 --- a/files/nftables/ipv6-mangle.nft +++ b/files/nftables/ipv6-mangle.nft @@ -1,5 +1,3 @@ -#!@sbindir@nft -f - table ip6 mangle { chain output { type route hook output priority -150; } } diff --git a/files/nftables/ipv6-nat.nft b/files/nftables/ipv6-nat.nft index ce0391df..6a356f1e 100755..100644 --- a/files/nftables/ipv6-nat.nft +++ b/files/nftables/ipv6-nat.nft @@ -1,5 +1,3 @@ -#!@sbindir@nft -f - table ip6 nat { chain prerouting { type nat hook prerouting priority -100; } chain input { type nat hook input priority 100; } diff --git a/files/nftables/ipv6-raw.nft b/files/nftables/ipv6-raw.nft index 504fb3e5..f92668be 100755..100644 --- a/files/nftables/ipv6-raw.nft +++ b/files/nftables/ipv6-raw.nft @@ -1,5 +1,3 @@ -#!@sbindir@nft -f - table ip6 raw { chain prerouting { type filter hook prerouting priority -300; } chain output { type filter hook output priority -300; } diff --git a/files/nftables/netdev-ingress.nft b/files/nftables/netdev-ingress.nft index 9e46b15a..3ed881af 100755..100644 --- a/files/nftables/netdev-ingress.nft +++ b/files/nftables/netdev-ingress.nft @@ -1,6 +1,4 @@ -#!@sbindir@nft -f - -# mind the NIC, it must exists +# mind the NIC, it must exist table netdev filter { chain loinput { type filter hook ingress device lo priority 0; } } diff --git a/files/osf/Makefile.am b/files/osf/Makefile.am deleted file mode 100644 index d80196dd..00000000 --- a/files/osf/Makefile.am +++ /dev/null @@ -1,2 +0,0 @@ -pkgsysconfdir = ${sysconfdir}/nftables/osf -dist_pkgsysconf_DATA = pf.os |