diff options
Diffstat (limited to 'files/examples')
| -rwxr-xr-x | files/examples/arp-filter.nft | 6 | ||||
| -rwxr-xr-x | files/examples/bridge-filter.nft | 7 | ||||
| -rwxr-xr-x | files/examples/families_and_hooks.nft | 32 | ||||
| -rwxr-xr-x | files/examples/inet-filter.nft | 7 | ||||
| -rwxr-xr-x | files/examples/ipv4-filter.nft | 7 | ||||
| -rwxr-xr-x | files/examples/ipv4-mangle.nft | 5 | ||||
| -rwxr-xr-x | files/examples/ipv4-nat.nft | 8 | ||||
| -rwxr-xr-x | files/examples/ipv4-raw.nft | 6 | ||||
| -rwxr-xr-x | files/examples/ipv6-filter.nft | 7 | ||||
| -rwxr-xr-x | files/examples/ipv6-mangle.nft | 5 | ||||
| -rwxr-xr-x | files/examples/ipv6-nat.nft | 8 | ||||
| -rwxr-xr-x | files/examples/ipv6-raw.nft | 6 | ||||
| -rwxr-xr-x | files/examples/netdev-ingress.nft | 7 | ||||
| -rwxr-xr-x | files/examples/sets_and_maps.nft (renamed from files/examples/sets_and_maps) | 9 |
14 files changed, 116 insertions, 4 deletions
diff --git a/files/examples/arp-filter.nft b/files/examples/arp-filter.nft new file mode 100755 index 00000000..13166bda --- /dev/null +++ b/files/examples/arp-filter.nft @@ -0,0 +1,6 @@ +#!/usr/sbin/nft -f + +table arp filter { + chain input { type filter hook input priority 0; } + chain output { type filter hook output priority 0; } +} diff --git a/files/examples/bridge-filter.nft b/files/examples/bridge-filter.nft new file mode 100755 index 00000000..7e3cad40 --- /dev/null +++ b/files/examples/bridge-filter.nft @@ -0,0 +1,7 @@ +#!/usr/sbin/nft -f + +table bridge filter { + chain input { type filter hook input priority -200; } + chain forward { type filter hook forward priority -200; } + chain output { type filter hook output priority 200; } +} diff --git a/files/examples/families_and_hooks.nft b/files/examples/families_and_hooks.nft new file mode 100755 index 00000000..e6d9ee23 --- /dev/null +++ b/files/examples/families_and_hooks.nft @@ -0,0 +1,32 @@ +#!/usr/sbin/nft -f + +# Here is an example of different families, hooks and priorities in the +# nftables framework, all mixed together. +# This script is mean to be loaded with `nft -f <file>` +# For up-to-date information please visit https://wiki.nftables.org + +flush ruleset + +# native dual stack IPv4 & IPv6 family +include "./inet-filter.nft" + +# netdev family at ingress hook. Attached to a given NIC +include "./netdev-ingress.nft" + +# IPv4 family, typical iptables tables/chains layout +include "./ipv4-filter.nft" +include "./ipv4-mangle.nft" +include "./ipv4-nat.nft" +include "./ipv4-raw.nft" + +# IPv6 family, typical ip6tables tables/chains layout +include "./ipv6-filter.nft" +include "./ipv6-mangle.nft" +include "./ipv6-nat.nft" +include "./ipv6-raw.nft" + +# ARP family, typical arptables tables/chain layout +include "./arp-filter.nft" + +# bridge family, typical ebtables tables/chain layout +include "./bridge-filter.nft" diff --git a/files/examples/inet-filter.nft b/files/examples/inet-filter.nft new file mode 100755 index 00000000..e5c8c54f --- /dev/null +++ b/files/examples/inet-filter.nft @@ -0,0 +1,7 @@ +#!/usr/sbin/nft -f + +table inet filter { + chain input { type filter hook input priority 0; } + chain forward { type filter hook forward priority 0; } + chain output { type filter hook output priority 0; } +} diff --git a/files/examples/ipv4-filter.nft b/files/examples/ipv4-filter.nft new file mode 100755 index 00000000..73b11bc9 --- /dev/null +++ b/files/examples/ipv4-filter.nft @@ -0,0 +1,7 @@ +#!/usr/sbin/nft -f + +table filter { + chain input { type filter hook input priority 0; } + chain forward { type filter hook forward priority 0; } + chain output { type filter hook output priority 0; } +} diff --git a/files/examples/ipv4-mangle.nft b/files/examples/ipv4-mangle.nft new file mode 100755 index 00000000..2827ddfa --- /dev/null +++ b/files/examples/ipv4-mangle.nft @@ -0,0 +1,5 @@ +#!/usr/sbin/nft -f + +table mangle { + chain output { type route hook output priority -150; } +} diff --git a/files/examples/ipv4-nat.nft b/files/examples/ipv4-nat.nft new file mode 100755 index 00000000..fd3bb40c --- /dev/null +++ b/files/examples/ipv4-nat.nft @@ -0,0 +1,8 @@ +#!/usr/sbin/nft -f + +table nat { + chain prerouting { type nat hook prerouting priority -100; } + chain input { type nat hook input priority 100; } + chain output { type nat hook output priority -100; } + chain postrouting { type nat hook postrouting priority 100; } +} diff --git a/files/examples/ipv4-raw.nft b/files/examples/ipv4-raw.nft new file mode 100755 index 00000000..91fc138b --- /dev/null +++ b/files/examples/ipv4-raw.nft @@ -0,0 +1,6 @@ +#!/usr/sbin/nft -f + +table raw { + chain prerouting { type filter hook prerouting priority -300; } + chain output { type filter hook output priority -300; } +} diff --git a/files/examples/ipv6-filter.nft b/files/examples/ipv6-filter.nft new file mode 100755 index 00000000..21f06a38 --- /dev/null +++ b/files/examples/ipv6-filter.nft @@ -0,0 +1,7 @@ +#!/usr/sbin/nft -f + +table ip6 filter { + chain input { type filter hook input priority 0; } + chain forward { type filter hook forward priority 0; } + chain output { type filter hook output priority 0; } +} diff --git a/files/examples/ipv6-mangle.nft b/files/examples/ipv6-mangle.nft new file mode 100755 index 00000000..e92dbef6 --- /dev/null +++ b/files/examples/ipv6-mangle.nft @@ -0,0 +1,5 @@ +#!/usr/sbin/nft -f + +table ip6 mangle { + chain output { type route hook output priority -150; } +} diff --git a/files/examples/ipv6-nat.nft b/files/examples/ipv6-nat.nft new file mode 100755 index 00000000..7437c193 --- /dev/null +++ b/files/examples/ipv6-nat.nft @@ -0,0 +1,8 @@ +#!/usr/sbin/nft -f + +table ip6 nat { + chain prerouting { type nat hook prerouting priority -100; } + chain input { type nat hook input priority 100; } + chain output { type nat hook output priority -100; } + chain postrouting { type nat hook postrouting priority 100; } +} diff --git a/files/examples/ipv6-raw.nft b/files/examples/ipv6-raw.nft new file mode 100755 index 00000000..812703aa --- /dev/null +++ b/files/examples/ipv6-raw.nft @@ -0,0 +1,6 @@ +#!/usr/sbin/nft -f + +table ip6 raw { + chain prerouting { type filter hook prerouting priority -300; } + chain output { type filter hook output priority -300; } +} diff --git a/files/examples/netdev-ingress.nft b/files/examples/netdev-ingress.nft new file mode 100755 index 00000000..2585d154 --- /dev/null +++ b/files/examples/netdev-ingress.nft @@ -0,0 +1,7 @@ +#!/usr/sbin/nft -f + +# mind the NIC, it must exists +table netdev filter { + chain loinput { type filter hook ingress device lo priority 0; } +} + diff --git a/files/examples/sets_and_maps b/files/examples/sets_and_maps.nft index 58369a31..f5157b3b 100755 --- a/files/examples/sets_and_maps +++ b/files/examples/sets_and_maps.nft @@ -1,7 +1,8 @@ -#! /sbin/nft -nf -# -# Examples of set and map usage -# +#!/usr/sbin/nft -f + +# This example file shows how to use sets and maps in the nftables framework. +# This script is meant to be loaded with `nft -f <file>` +# For up-to-date information please visit https://wiki.nftables.org # symbolic anonymous set definition built from symbolic singleton definitions define int_if1 = eth0 |