diff options
author | Florian Westphal <fw@strlen.de> | 2017-08-23 17:54:19 +0200 |
---|---|---|
committer | Florian Westphal <fw@strlen.de> | 2017-08-23 23:42:13 +0200 |
commit | c06413211e6f5f8720fa75909f84b6c0b8c17d68 (patch) | |
tree | a41990f4cb9943d3eb16e0cec9679ee8aa9b8dc4 | |
parent | 17841a1975cd1c4346f243144f775a8cb17c50b5 (diff) |
files: add arp filter and add in/output to nat skeleton
Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
-rw-r--r-- | files/nftables/Makefile.am | 3 | ||||
-rw-r--r-- | files/nftables/arp-filter | 6 | ||||
-rw-r--r-- | files/nftables/ipv4-nat | 6 | ||||
-rw-r--r-- | files/nftables/ipv6-nat | 6 |
4 files changed, 16 insertions, 5 deletions
diff --git a/files/nftables/Makefile.am b/files/nftables/Makefile.am index a4c7ac7c..77d5c2a6 100644 --- a/files/nftables/Makefile.am +++ b/files/nftables/Makefile.am @@ -1,6 +1,7 @@ pkgsysconfdir = ${sysconfdir}/nftables -dist_pkgsysconf_DATA = bridge-filter \ +dist_pkgsysconf_DATA = arp-filter \ + bridge-filter \ inet-filter \ ipv4-filter \ ipv4-mangle \ diff --git a/files/nftables/arp-filter b/files/nftables/arp-filter new file mode 100644 index 00000000..bcabf28a --- /dev/null +++ b/files/nftables/arp-filter @@ -0,0 +1,6 @@ +#! @sbindir@nft -f + +table arp filter { + chain input { type filter hook input priority 0; } + chain output { type filter hook output priority 0; } +} diff --git a/files/nftables/ipv4-nat b/files/nftables/ipv4-nat index 01c6c3d8..130a729b 100644 --- a/files/nftables/ipv4-nat +++ b/files/nftables/ipv4-nat @@ -1,6 +1,8 @@ #! @sbindir@nft -f table nat { - chain prerouting { type nat hook prerouting priority -150; } - chain postrouting { type nat hook postrouting priority -150; } + chain prerouting { type nat hook prerouting priority -100; } + chain input { type nat hook input priority 100; } + chain output { type nat hook output priority -100; } + chain postrouting { type nat hook postrouting priority 100; } } diff --git a/files/nftables/ipv6-nat b/files/nftables/ipv6-nat index 3f57c56d..e7816860 100644 --- a/files/nftables/ipv6-nat +++ b/files/nftables/ipv6-nat @@ -1,6 +1,8 @@ #! @sbindir@nft -f table ip6 nat { - chain prerouting { type nat hook prerouting priority -150; } - chain postrouting { type nat hook postrouting priority -150; } + chain prerouting { type nat hook prerouting priority -100; } + chain input { type nat hook input priority 100; } + chain output { type nat hook output priority -100; } + chain postrouting { type nat hook postrouting priority 100; } } |