useful for the 'ct zone set' statement, it has to be done before
the conntrack lookup but preferrably after the defragmention hook.
In iptables, the functionality resides in the CT target which is
restricted to the raw table. This provides the skeleton for nft.
Signed-off-by: Florian Westphal <fw@xxxxxxxxx>
---
files/nftables/Makefile.am | 4 +++-
files/nftables/ipv4-raw | 6 ++++++
files/nftables/ipv6-raw | 6 ++++++
3 files changed, 15 insertions(+), 1 deletion(-)
create mode 100644 files/nftables/ipv4-raw
create mode 100644 files/nftables/ipv6-raw
diff --git a/files/nftables/Makefile.am b/files/nftables/Makefile.am
index 1378e2b684f1..a4c7ac7c980b 100644
--- a/files/nftables/Makefile.am
+++ b/files/nftables/Makefile.am
@@ -5,9 +5,11 @@ dist_pkgsysconf_DATA = bridge-filter \
ipv4-filter \
ipv4-mangle \
ipv4-nat \
+ ipv4-raw \
ipv6-filter \
ipv6-mangle \
- ipv6-nat
+ ipv6-nat \
+ ipv6-raw
install-data-hook:
${SED} -i 's|@sbindir[@]|${sbindir}/|g' ${DESTDIR}${pkgsysconfdir}/*
diff --git a/files/nftables/ipv4-raw b/files/nftables/ipv4-raw
new file mode 100644
index 000000000000..19773ee8bc3b
--- /dev/null
+++ b/files/nftables/ipv4-raw
@@ -0,0 +1,6 @@
+#! @sbindir@nft -f
+
+table raw {
+ chain prerouting { type filter hook prerouting priority -300; }
+ chain output { type filter hook output priority -300; }
+}
diff --git a/files/nftables/ipv6-raw b/files/nftables/ipv6-raw
new file mode 100644
index 000000000000..5ee56a83987e
--- /dev/null
+++ b/files/nftables/ipv6-raw
@@ -0,0 +1,6 @@
+#! @sbindir@nft -f
+
+table ip6 raw {
+ chain prerouting { type filter hook prerouting priority -300; }
+ chain output { type filter hook output priority -300; }
+}
--
2.10.2
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
