files: Add inet family nat config

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

3 files changed, 10 insertions, 0 deletions

diff --git a/files/nftables/Makefile.am b/files/nftables/Makefile.am
index a93b7978..2a511cd1 100644
--- a/files/nftables/Makefile.am
+++ b/files/nftables/Makefile.am
@@ -3,6 +3,7 @@ dist_pkgsysconf_DATA =	all-in-one.nft		\
 			arp-filter.nft		\
 			bridge-filter.nft	\
 			inet-filter.nft		\
+			inet-nat.nft		\
 			ipv4-filter.nft		\
 			ipv4-mangle.nft		\
 			ipv4-nat.nft		\
diff --git a/files/nftables/all-in-one.nft b/files/nftables/all-in-one.nft
index 4ccc0432..d3aa7f37 100755
--- a/files/nftables/all-in-one.nft
+++ b/files/nftables/all-in-one.nft
@@ -13,6 +13,7 @@ flush ruleset
 
 # native dual stack IPv4 & IPv6 family
 include "./inet-filter.nft"
+include "./inet-nat.nft"
 
 # netdev family at ingress hook. Attached to a given NIC
 include "./netdev-ingress.nft"
diff --git a/files/nftables/inet-nat.nft b/files/nftables/inet-nat.nft
new file mode 100755
index 00000000..52fcdb54
--- /dev/null
+++ b/files/nftables/inet-nat.nft
@@ -0,0 +1,8 @@
+#!@sbindir@nft -f
+
+table inet nat {
+	chain prerouting	{ type nat hook prerouting priority -100; }
+	chain input		{ type nat hook input priority 100; }
+	chain output		{ type nat hook output priority -100; }
+	chain postrouting	{ type nat hook postrouting priority 100; }
+}