diff options
Diffstat (limited to 'files')
| -rw-r--r-- | files/Makefile.am | 1 | ||||
| -rwxr-xr-x[-rw-r--r--] | files/examples/arp-filter.nft (renamed from files/nftables/arp-filter) | 2 | ||||
| -rwxr-xr-x[-rw-r--r--] | files/examples/bridge-filter.nft (renamed from files/nftables/bridge-filter) | 2 | ||||
| -rwxr-xr-x | files/examples/families_and_hooks.nft | 32 | ||||
| -rwxr-xr-x[-rw-r--r--] | files/examples/inet-filter.nft (renamed from files/nftables/inet-filter) | 2 | ||||
| -rwxr-xr-x[-rw-r--r--] | files/examples/ipv4-filter.nft (renamed from files/nftables/ipv4-filter) | 2 | ||||
| -rwxr-xr-x[-rw-r--r--] | files/examples/ipv4-mangle.nft (renamed from files/nftables/ipv4-mangle) | 2 | ||||
| -rwxr-xr-x[-rw-r--r--] | files/examples/ipv4-nat.nft (renamed from files/nftables/ipv4-nat) | 2 | ||||
| -rwxr-xr-x[-rw-r--r--] | files/examples/ipv4-raw.nft (renamed from files/nftables/ipv4-raw) | 2 | ||||
| -rwxr-xr-x[-rw-r--r--] | files/examples/ipv6-filter.nft (renamed from files/nftables/ipv6-filter) | 2 | ||||
| -rwxr-xr-x[-rw-r--r--] | files/examples/ipv6-mangle.nft (renamed from files/nftables/ipv6-mangle) | 2 | ||||
| -rwxr-xr-x[-rw-r--r--] | files/examples/ipv6-nat.nft (renamed from files/nftables/ipv6-nat) | 2 | ||||
| -rwxr-xr-x[-rw-r--r--] | files/examples/ipv6-raw.nft (renamed from files/nftables/ipv6-raw) | 2 | ||||
| -rwxr-xr-x | files/examples/netdev-ingress.nft | 7 | ||||
| -rwxr-xr-x | files/examples/sets_and_maps.nft (renamed from files/examples/sets_and_maps) | 9 | ||||
| -rw-r--r-- | files/nftables/Makefile.am | 16 |
16 files changed, 55 insertions, 32 deletions
diff --git a/files/Makefile.am b/files/Makefile.am deleted file mode 100644 index a8394c06..00000000 --- a/files/Makefile.am +++ /dev/null @@ -1 +0,0 @@ -SUBDIRS = nftables diff --git a/files/nftables/arp-filter b/files/examples/arp-filter.nft index bcabf28a..13166bda 100644..100755 --- a/files/nftables/arp-filter +++ b/files/examples/arp-filter.nft @@ -1,4 +1,4 @@ -#! @sbindir@nft -f +#!/usr/sbin/nft -f table arp filter { chain input { type filter hook input priority 0; } diff --git a/files/nftables/bridge-filter b/files/examples/bridge-filter.nft index 2add455d..7e3cad40 100644..100755 --- a/files/nftables/bridge-filter +++ b/files/examples/bridge-filter.nft @@ -1,4 +1,4 @@ -#! @sbindir@nft -f +#!/usr/sbin/nft -f table bridge filter { chain input { type filter hook input priority -200; } diff --git a/files/examples/families_and_hooks.nft b/files/examples/families_and_hooks.nft new file mode 100755 index 00000000..e6d9ee23 --- /dev/null +++ b/files/examples/families_and_hooks.nft @@ -0,0 +1,32 @@ +#!/usr/sbin/nft -f + +# Here is an example of different families, hooks and priorities in the +# nftables framework, all mixed together. +# This script is mean to be loaded with `nft -f <file>` +# For up-to-date information please visit https://wiki.nftables.org + +flush ruleset + +# native dual stack IPv4 & IPv6 family +include "./inet-filter.nft" + +# netdev family at ingress hook. Attached to a given NIC +include "./netdev-ingress.nft" + +# IPv4 family, typical iptables tables/chains layout +include "./ipv4-filter.nft" +include "./ipv4-mangle.nft" +include "./ipv4-nat.nft" +include "./ipv4-raw.nft" + +# IPv6 family, typical ip6tables tables/chains layout +include "./ipv6-filter.nft" +include "./ipv6-mangle.nft" +include "./ipv6-nat.nft" +include "./ipv6-raw.nft" + +# ARP family, typical arptables tables/chain layout +include "./arp-filter.nft" + +# bridge family, typical ebtables tables/chain layout +include "./bridge-filter.nft" diff --git a/files/nftables/inet-filter b/files/examples/inet-filter.nft index f572db59..e5c8c54f 100644..100755 --- a/files/nftables/inet-filter +++ b/files/examples/inet-filter.nft @@ -1,4 +1,4 @@ -#! @sbindir@nft -f +#!/usr/sbin/nft -f table inet filter { chain input { type filter hook input priority 0; } diff --git a/files/nftables/ipv4-filter b/files/examples/ipv4-filter.nft index a4ca7f25..73b11bc9 100644..100755 --- a/files/nftables/ipv4-filter +++ b/files/examples/ipv4-filter.nft @@ -1,4 +1,4 @@ -#! @sbindir@nft -f +#!/usr/sbin/nft -f table filter { chain input { type filter hook input priority 0; } diff --git a/files/nftables/ipv4-mangle b/files/examples/ipv4-mangle.nft index be564a51..2827ddfa 100644..100755 --- a/files/nftables/ipv4-mangle +++ b/files/examples/ipv4-mangle.nft @@ -1,4 +1,4 @@ -#! @sbindir@nft -f +#!/usr/sbin/nft -f table mangle { chain output { type route hook output priority -150; } diff --git a/files/nftables/ipv4-nat b/files/examples/ipv4-nat.nft index 130a729b..fd3bb40c 100644..100755 --- a/files/nftables/ipv4-nat +++ b/files/examples/ipv4-nat.nft @@ -1,4 +1,4 @@ -#! @sbindir@nft -f +#!/usr/sbin/nft -f table nat { chain prerouting { type nat hook prerouting priority -100; } diff --git a/files/nftables/ipv4-raw b/files/examples/ipv4-raw.nft index 19773ee8..91fc138b 100644..100755 --- a/files/nftables/ipv4-raw +++ b/files/examples/ipv4-raw.nft @@ -1,4 +1,4 @@ -#! @sbindir@nft -f +#!/usr/sbin/nft -f table raw { chain prerouting { type filter hook prerouting priority -300; } diff --git a/files/nftables/ipv6-filter b/files/examples/ipv6-filter.nft index ce4d7de2..21f06a38 100644..100755 --- a/files/nftables/ipv6-filter +++ b/files/examples/ipv6-filter.nft @@ -1,4 +1,4 @@ -#! @sbindir@nft -f +#!/usr/sbin/nft -f table ip6 filter { chain input { type filter hook input priority 0; } diff --git a/files/nftables/ipv6-mangle b/files/examples/ipv6-mangle.nft index fa32402a..e92dbef6 100644..100755 --- a/files/nftables/ipv6-mangle +++ b/files/examples/ipv6-mangle.nft @@ -1,4 +1,4 @@ -#! @sbindir@nft -f +#!/usr/sbin/nft -f table ip6 mangle { chain output { type route hook output priority -150; } diff --git a/files/nftables/ipv6-nat b/files/examples/ipv6-nat.nft index e7816860..7437c193 100644..100755 --- a/files/nftables/ipv6-nat +++ b/files/examples/ipv6-nat.nft @@ -1,4 +1,4 @@ -#! @sbindir@nft -f +#!/usr/sbin/nft -f table ip6 nat { chain prerouting { type nat hook prerouting priority -100; } diff --git a/files/nftables/ipv6-raw b/files/examples/ipv6-raw.nft index 5ee56a83..812703aa 100644..100755 --- a/files/nftables/ipv6-raw +++ b/files/examples/ipv6-raw.nft @@ -1,4 +1,4 @@ -#! @sbindir@nft -f +#!/usr/sbin/nft -f table ip6 raw { chain prerouting { type filter hook prerouting priority -300; } diff --git a/files/examples/netdev-ingress.nft b/files/examples/netdev-ingress.nft new file mode 100755 index 00000000..2585d154 --- /dev/null +++ b/files/examples/netdev-ingress.nft @@ -0,0 +1,7 @@ +#!/usr/sbin/nft -f + +# mind the NIC, it must exists +table netdev filter { + chain loinput { type filter hook ingress device lo priority 0; } +} + diff --git a/files/examples/sets_and_maps b/files/examples/sets_and_maps.nft index 58369a31..f5157b3b 100755 --- a/files/examples/sets_and_maps +++ b/files/examples/sets_and_maps.nft @@ -1,7 +1,8 @@ -#! /sbin/nft -nf -# -# Examples of set and map usage -# +#!/usr/sbin/nft -f + +# This example file shows how to use sets and maps in the nftables framework. +# This script is meant to be loaded with `nft -f <file>` +# For up-to-date information please visit https://wiki.nftables.org # symbolic anonymous set definition built from symbolic singleton definitions define int_if1 = eth0 diff --git a/files/nftables/Makefile.am b/files/nftables/Makefile.am deleted file mode 100644 index 77d5c2a6..00000000 --- a/files/nftables/Makefile.am +++ /dev/null @@ -1,16 +0,0 @@ - -pkgsysconfdir = ${sysconfdir}/nftables -dist_pkgsysconf_DATA = arp-filter \ - bridge-filter \ - inet-filter \ - ipv4-filter \ - ipv4-mangle \ - ipv4-nat \ - ipv4-raw \ - ipv6-filter \ - ipv6-mangle \ - ipv6-nat \ - ipv6-raw - -install-data-hook: - ${SED} -i 's|@sbindir[@]|${sbindir}/|g' ${DESTDIR}${pkgsysconfdir}/* |