13 files changed, 124 insertions, 0 deletions

diff --git a/files/nftables/Makefile.am b/files/nftables/Makefile.am
new file mode 100644
index 00000000..43e30281
--- /dev/null
+++ b/files/nftables/Makefile.am
@@ -0,0 +1,16 @@
+pkgsysconfdir = ${sysconfdir}/nftables
+dist_pkgsysconf_DATA =	all-in-one.nft		\
+			arp-filter.nft		\
+			bridge-filter.nft	\
+			inet-filter.nft		\
+			ipv4-filter.nft		\
+			ipv4-mangle.nft		\
+			ipv4-nat.nft		\
+			ipv4-raw.nft		\
+			ipv6-filter.nft		\
+			ipv6-mangle.nft		\
+			ipv6-nat.nft		\
+			ipv6-raw.nft
+
+install-data-hook:
+	${SED} -i 's|@sbindir[@]|${sbindir}/|g' ${DESTDIR}${pkgsysconfdir}/*
diff --git a/files/nftables/all-in-one.nft b/files/nftables/all-in-one.nft
new file mode 100755
index 00000000..4ccc0432
--- /dev/null
+++ b/files/nftables/all-in-one.nft
@@ -0,0 +1,36 @@
+#!@sbindir@nft -f
+
+# Here is an example of different families, hooks and priorities in the
+# nftables framework, all mixed together.
+#
+# more examples are located in files/examples in nftables source.
+# For up-to-date information please visit https://wiki.nftables.org
+#
+# This script is mean to be loaded with `nft -f <file>`
+
+# clear all prior state
+flush ruleset
+
+# native dual stack IPv4 & IPv6 family
+include "./inet-filter.nft"
+
+# netdev family at ingress hook. Attached to a given NIC
+include "./netdev-ingress.nft"
+
+# IPv4 family, typical iptables tables/chains layout
+include "./ipv4-filter.nft"
+include "./ipv4-mangle.nft"
+include "./ipv4-nat.nft"
+include "./ipv4-raw.nft"
+
+# IPv6 family, typical ip6tables tables/chains layout
+include "./ipv6-filter.nft"
+include "./ipv6-mangle.nft"
+include "./ipv6-nat.nft"
+include "./ipv6-raw.nft"
+
+# ARP family, typical arptables tables/chain layout
+include "./arp-filter.nft"
+
+# bridge family, typical ebtables tables/chain layout
+include "./bridge-filter.nft"
diff --git a/files/nftables/arp-filter.nft b/files/nftables/arp-filter.nft
new file mode 100755
index 00000000..8a350b1e
--- /dev/null
+++ b/files/nftables/arp-filter.nft
@@ -0,0 +1,6 @@
+#!@sbindir@nft -f
+
+table arp filter {
+	chain input		{ type filter hook input priority 0; }
+	chain output		{ type filter hook output priority 0; }
+}
diff --git a/files/nftables/bridge-filter.nft b/files/nftables/bridge-filter.nft
new file mode 100755
index 00000000..93efe864
--- /dev/null
+++ b/files/nftables/bridge-filter.nft
@@ -0,0 +1,7 @@
+#!@sbindir@nft -f
+
+table bridge filter {
+	chain input		{ type filter hook input priority -200; }
+	chain forward		{ type filter hook forward priority -200; }
+	chain output		{ type filter hook output priority 200; }
+}
diff --git a/files/nftables/inet-filter.nft b/files/nftables/inet-filter.nft
new file mode 100755
index 00000000..7be447fd
--- /dev/null
+++ b/files/nftables/inet-filter.nft
@@ -0,0 +1,7 @@
+#!@sbindir@nft -f
+
+table inet filter {
+	chain input		{ type filter hook input priority 0; }
+	chain forward		{ type filter hook forward priority 0; }
+	chain output		{ type filter hook output priority 0; }
+}
diff --git a/files/nftables/ipv4-filter.nft b/files/nftables/ipv4-filter.nft
new file mode 100755
index 00000000..51c060f6
--- /dev/null
+++ b/files/nftables/ipv4-filter.nft
@@ -0,0 +1,7 @@
+#!@sbindir@nft -f
+
+table filter {
+	chain input		{ type filter hook input priority 0; }
+	chain forward		{ type filter hook forward priority 0; }
+	chain output		{ type filter hook output priority 0; }
+}
diff --git a/files/nftables/ipv4-mangle.nft b/files/nftables/ipv4-mangle.nft
new file mode 100755
index 00000000..dba8888c
--- /dev/null
+++ b/files/nftables/ipv4-mangle.nft
@@ -0,0 +1,5 @@
+#!@sbindir@nft -f
+
+table mangle {
+	chain output		{ type route hook output priority -150; }
+}
diff --git a/files/nftables/ipv4-nat.nft b/files/nftables/ipv4-nat.nft
new file mode 100755
index 00000000..6754e5ee
--- /dev/null
+++ b/files/nftables/ipv4-nat.nft
@@ -0,0 +1,8 @@
+#!@sbindir@nft -f
+
+table nat {
+	chain prerouting	{ type nat hook prerouting priority -100; }
+	chain input		{ type nat hook input priority 100; }
+	chain output		{ type nat hook output priority -100; }
+	chain postrouting	{ type nat hook postrouting priority 100; }
+}
diff --git a/files/nftables/ipv4-raw.nft b/files/nftables/ipv4-raw.nft
new file mode 100755
index 00000000..c3fed191
--- /dev/null
+++ b/files/nftables/ipv4-raw.nft
@@ -0,0 +1,6 @@
+#!@sbindir@nft -f
+
+table raw {
+	chain prerouting	{ type filter hook prerouting priority -300; }
+	chain output		{ type filter hook output priority -300; }
+}
diff --git a/files/nftables/ipv6-filter.nft b/files/nftables/ipv6-filter.nft
new file mode 100755
index 00000000..266bed36
--- /dev/null
+++ b/files/nftables/ipv6-filter.nft
@@ -0,0 +1,7 @@
+#!@sbindir@nft -f
+
+table ip6 filter {
+	chain input		{ type filter hook input priority 0; }
+	chain forward		{ type filter hook forward priority 0; }
+	chain output		{ type filter hook output priority 0; }
+}
diff --git a/files/nftables/ipv6-mangle.nft b/files/nftables/ipv6-mangle.nft
new file mode 100755
index 00000000..6b3e20dc
--- /dev/null
+++ b/files/nftables/ipv6-mangle.nft
@@ -0,0 +1,5 @@
+#!@sbindir@nft -f
+
+table ip6 mangle {
+	chain output		{ type route hook output priority -150; }
+}
diff --git a/files/nftables/ipv6-nat.nft b/files/nftables/ipv6-nat.nft
new file mode 100755
index 00000000..ce0391df
--- /dev/null
+++ b/files/nftables/ipv6-nat.nft
@@ -0,0 +1,8 @@
+#!@sbindir@nft -f
+
+table ip6 nat {
+	chain prerouting	{ type nat hook prerouting priority -100; }
+	chain input 		{ type nat hook input priority 100; }
+	chain output  		{ type nat hook output priority -100; }
+	chain postrouting	{ type nat hook postrouting priority 100; }
+}
diff --git a/files/nftables/ipv6-raw.nft b/files/nftables/ipv6-raw.nft
new file mode 100755
index 00000000..504fb3e5
--- /dev/null
+++ b/files/nftables/ipv6-raw.nft
@@ -0,0 +1,6 @@
+#!@sbindir@nft -f
+
+table ip6 raw {
+	chain prerouting	{ type filter hook prerouting priority -300; }
+	chain output		{ type filter hook output priority -300; }
+}