summaryrefslogtreecommitdiffstats
path: root/files
Commit message (Collapse)AuthorAgeFilesLines
* files: improve secmark.nft exampleDominick Grift2021-05-241-5/+5
| | | | | | | use proper priorities to ensure that ct works properly Signed-off-by: Dominick Grift <dominick.grift@defensec.nl> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* files: move example files away from /etcJan Engelhardt2021-04-031-2/+1
| | | | | | | | | | | | | As per file-hierarchy(5), /etc is for "system-specific configuration", not "vendor-supplied default configuration files". Moreover, the comments in all-in-one.nft say it is an example, and so, not a vendor config either. Move it out of /etc. Signed-off-by: Jan Engelhardt <jengelh@inai.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* files: add example secmark configChristian Göttsche2019-11-252-0/+88
| | | | | Signed-off-by: Christian Göttsche <cgzones@googlemail.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* files: Drop shebangs from config filesPhil Sutter2019-11-1915-33/+2
| | | | | | | | | | | | | | | These are not meant to be executed as is but instead loaded via 'nft -f' - all-in-one.nft even points this out in header comment. While being at it, drop two spelling mistakes found along the way. Consequently remove executable bits - being registered in automake as dist_pkgsysconf_DATA, they're changed to 644 upon installation anyway. Also there is obviously no need for replacement of nft binary path anymore, drop that bit from Makefile.am. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* files: Install sample scripts from files/examplesPhil Sutter2019-11-192-0/+5
| | | | | | | | | Assuming these are still relevant and useful as a source of inspiration, install them into DATAROOTDIR/doc/nftables/examples. Signed-off-by: Phil Sutter <phil@nwl.cc> Acked-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* files: Add inet family nat configPhil Sutter2019-07-043-0/+10
| | | | | Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* files: Move netdev-ingress.nft to /etc/nftables as wellPhil Sutter2019-07-032-2/+3
| | | | | | | | | | | | Commit 13535a3b40b62 ("files: restore base table skeletons") moved config skeletons back from examples/ to /etc/nftables/ directory, but ignored the fact that commit 6c9230e79339c ("nftables: rearrange files and examples") added a new file 'netdev-ingress.nft' which is referenced from 'all-in-one.nft' as well. Fixes: 13535a3b40b62 ("files: restore base table skeletons") Signed-off-by: Phil Sutter <phil@nwl.cc> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* files: pf.os: merge the signatures splitted by versionFernando Fernandez Mancera2019-04-081-26/+14
| | | | | | | | | | | | | | | | | | In order to be able to identify the OS version we need to merge the signatures split by version. eg. 65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:4.7-4.11::FreeBSD 4.7-5.2 65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:5.0-5.2::FreeBSD 4.7-5.2 65535:64:1:60:M*,N,W1,N,N,T: FreeBSD:4.7-5.2::FreeBSD 4.7-5.2 Fingerprints need to be unique to make this fit into the set/map infrastructure for exact matches. Having multiples fingerprints with same signature is a problem, since it forces users to add multiple rules. Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* files: osf: update pf.os with newer OS fingerprintsFernando Fernandez Mancera2019-04-081-0/+6
| | | | | | | | After notice that some fingerprints are outdated we have updated the most common of them. Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* files: osf: copy iptables/utils/pf.os into nftables treeFernando Fernandez Mancera2018-08-234-2/+714
| | | | | | | | As we are going to need pf.os file to load OS fingerprints from the incoming nfnl_osf.c, we copy it into the nftables tree directory "files/osf/". Signed-off-by: Fernando Fernandez Mancera <ffmancera@riseup.net> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* files: restore base table skeletonsFlorian Westphal2018-05-0814-13/+34
| | | | | | | | | | | | nftables releases until 0.8.2 included base skeleton hooks that were installed into /etc/nftables (sysconfdir). With 0.8.3 and newer these files were moved to the documentation area but apparently some users expect them to be there. Resurrect them. Signed-off-by: Florian Westphal <fw@strlen.de>
* files: add load balance exampleArturo Borrero Gonzalez2018-02-251-0/+54
| | | | | | | | Include this example file in the tarball on how to do load balancing with nftables, inspired from https://wiki.nftables.org Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* examples: add ct helper examplesArturo Borrero Gonzalez2018-02-251-0/+43
| | | | | | | | Include some examples in the nftables tarball on using the ct helper infraestructure, inspired from wiki.nftables.org. Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* nftables: rearrange files and examplesArturo Borrero Gonzalez2018-02-2516-32/+55
| | | | | | | | | | | | | | Concatenate all family/hook examples into a single one by means of includes. Put all example files under examples/. Use the '.nft' prefix and mark them as executable files. Use a static shebang declaration, since these are examples meant for final systems and users. While at it, refresh also the sets_and_maps.nft example file and also add the 'netdev-ingress.nft' example file. Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* files: add arp filter and add in/output to nat skeletonFlorian Westphal2017-08-234-5/+16
| | | | | Signed-off-by: Florian Westphal <fw@strlen.de> Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>
* files: provide 'raw' table equivalentFlorian Westphal2017-03-153-1/+15
| | | | | | | | | | useful for the 'ct zone set' statement, it has to be done before the conntrack lookup but preferrably after the defragmention hook. In iptables, the functionality resides in the CT target which is restricted to the raw table. This provides the skeleton for nft. Signed-off-by: Florian Westphal <fw@strlen.de>
* examples: use current type namesFlorian Westphal2016-02-251-5/+5
| | | | Signed-off-by: Florian Westphal <fw@strlen.de>
* build: add autotools support for the 'files' subdirGiorgio Dal Molin2014-11-1211-13/+22
| | | | | | | | Added support to install some 'nft' scripts under '${sysconfdir}/nftables', typically '/etc/nftables'. Signed-off-by: Giorgio Dal Molin <giorgio.nicole@arcor.de> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* files: add inet filter table definitionPatrick McHardy2014-02-051-0/+7
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* src: use ':' instead of '=>' in dictionariesPablo Neira Ayuso2014-01-161-4/+4
| | | | | | | | | | | | | Replace => by : to make it easier for most shell users, as > implies a redirection, let's avoid possible confusion that may result if you forget to escape it. This works fine if you don't forget to add space between the key and the value. If you forget to add the space, depending on the case, the scanner may recognize it correctly or process it as a string. Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* files: replace interpreter during installationArturo Borrero Gonzalez2014-01-131-0/+1
| | | | | | | | | | | | | | | | | | | | | Many systems (for example Debian) don't recognice `#!nft -f' as a valid interpreter. A short way to handle this is to provide the full path to the interpreter in the shebang. That is what this patch does: update the shebang's path during installation. For example, if you are installing under /usr/local, the shebang becomes: #!/usr/local/sbin/nft -f If using --prefix=/, then: #!/sbin/nft -f NOTE: If the shebang in source files are changed in a future, this sed script should be updated as well. Signed-off-by: Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* nftables: drop hard coded install using root user owner and groupKevin Fenzi2014-01-131-1/+1
| | | | | | | | Packaging systems build as a non priv user, so can't install as root. Users installing from source can 'sudo make install' or run 'make install' as root Signed-off-by: Kevin Fenzi <kevin@scrye.com> Signed-off-by: Patrick McHardy <kaber@trash.net>
* examples: adjust new chain type syntax in sets_and_maps filePhil Oester2013-11-301-1/+1
| | | | | | | This example file has not been updated with new syntax. Signed-off-by: Phil Oester <kernel@linuxace.com> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Update chain creation format.Eric Leblond2013-09-177-19/+23
| | | | | | | | | | | type keyword is now mandatory when creating a new chain. This patc halso implement the change required following the usage of human notation in hook. It also suppressed non currently supported mangle chains. Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* Suppress non working examples.Eric Leblond2013-09-174-26/+0
| | | | | Signed-off-by: Eric Leblond <eric@regit.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
* add bridge filter table definitionsPatrick McHardy2010-07-061-0/+7
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* add support for new set API and standalone setsPatrick McHardy2009-07-281-0/+53
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* templates: add IPv6 raw table templatePatrick McHardy2009-03-181-0/+6
| | | | Signed-off-by: Patrick McHardy <kaber@trash.net>
* Initial commitv0.01-alpha1Patrick McHardy2009-03-188-0/+56