Concatenate all family/hook examples into a single one. Put all example files under examples/. Use the '.nft' prefix and mark them as executable files. Use a static shebang declaration, since these are examples meant for final systems and users. While at it, refresh also the sets_and_maps.nft example file. Signed-off-by: Arturo Borrero Gonzalez <arturo@xxxxxxxxxxxxx> --- Makefile.am | 6 +-- configure.ac | 2 - files/Makefile.am | 1 files/examples/families_and_hooks.nft | 79 +++++++++++++++++++++++++++++++++ files/examples/sets_and_maps | 53 ---------------------- files/examples/sets_and_maps.nft | 54 +++++++++++++++++++++++ files/nftables/Makefile.am | 16 ------- files/nftables/arp-filter | 6 --- files/nftables/bridge-filter | 7 --- files/nftables/inet-filter | 7 --- files/nftables/ipv4-filter | 7 --- files/nftables/ipv4-mangle | 5 -- files/nftables/ipv4-nat | 8 --- files/nftables/ipv4-raw | 6 --- files/nftables/ipv6-filter | 7 --- files/nftables/ipv6-mangle | 5 -- files/nftables/ipv6-nat | 8 --- files/nftables/ipv6-raw | 6 --- 18 files changed, 136 insertions(+), 147 deletions(-) delete mode 100644 files/Makefile.am create mode 100755 files/examples/families_and_hooks.nft delete mode 100755 files/examples/sets_and_maps create mode 100755 files/examples/sets_and_maps.nft delete mode 100644 files/nftables/Makefile.am delete mode 100644 files/nftables/arp-filter delete mode 100644 files/nftables/bridge-filter delete mode 100644 files/nftables/inet-filter delete mode 100644 files/nftables/ipv4-filter delete mode 100644 files/nftables/ipv4-mangle delete mode 100644 files/nftables/ipv4-nat delete mode 100644 files/nftables/ipv4-raw delete mode 100644 files/nftables/ipv6-filter delete mode 100644 files/nftables/ipv6-mangle delete mode 100644 files/nftables/ipv6-nat delete mode 100644 files/nftables/ipv6-raw diff --git a/Makefile.am b/Makefile.am index 10aa40f..5ef61be 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2,7 +2,7 @@ ACLOCAL_AMFLAGS = -I m4 SUBDIRS = src \ include \ - doc \ - files + doc -EXTRA_DIST = tests +EXTRA_DIST = tests \ + files diff --git a/configure.ac b/configure.ac index 1a38653..408a6bc 100644 --- a/configure.ac +++ b/configure.ac @@ -140,8 +140,6 @@ AC_CONFIG_FILES([ \ include/linux/netfilter_ipv4/Makefile \ include/linux/netfilter_ipv6/Makefile \ doc/Makefile \ - files/Makefile \ - files/nftables/Makefile \ ]) AC_OUTPUT diff --git a/files/Makefile.am b/files/Makefile.am deleted file mode 100644 index a8394c0..0000000 --- a/files/Makefile.am +++ /dev/null @@ -1 +0,0 @@ -SUBDIRS = nftables diff --git a/files/examples/families_and_hooks.nft b/files/examples/families_and_hooks.nft new file mode 100755 index 0000000..b401610 --- /dev/null +++ b/files/examples/families_and_hooks.nft @@ -0,0 +1,79 @@ +#!/usr/sbin/nft -f + +# Here is an example of different families, hooks and priorities in the +# nftables framework. +# This script is mean to be loaded with `nft -f <file>` +# For up-to-date information please visit https://wiki.nftables.org + +flush ruleset + +# native dual stack IPv4 & IPv6 family +table inet filter { + chain input { type filter hook input priority 0; } + chain forward { type filter hook forward priority 0; } + chain output { type filter hook output priority 0; } +} + +# netdev family at ingress hook. Attached to a given NIC. +table netdev filter { + chain eth0input { type filter hook ingress device lo priority 0; } +} + +# IPv4 family, typical iptables tables/chains layout +table filter { + chain input { type filter hook input priority 0; } + chain forward { type filter hook forward priority 0; } + chain output { type filter hook output priority 0; } +} + +table mangle { + chain output { type route hook output priority -150; } +} + +table nat { + chain prerouting { type nat hook prerouting priority -100; } + chain input { type nat hook input priority 100; } + chain output { type nat hook output priority -100; } + chain postrouting { type nat hook postrouting priority 100; } +} + +table raw { + chain prerouting { type filter hook prerouting priority -300; } + chain output { type filter hook output priority -300; } +} + +# IPv6 family, typical iptables tables/chains layout +table ip6 filter { + chain input { type filter hook input priority 0; } + chain forward { type filter hook forward priority 0; } + chain output { type filter hook output priority 0; } +} + +table ip6 mangle { + chain output { type route hook output priority -150; } +} + +table ip6 nat { + chain prerouting { type nat hook prerouting priority -100; } + chain input { type nat hook input priority 100; } + chain output { type nat hook output priority -100; } + chain postrouting { type nat hook postrouting priority 100; } +} + +table ip6 raw { + chain prerouting { type filter hook prerouting priority -300; } + chain output { type filter hook output priority -300; } +} + +# ARP family, typical arptables tables/chain layout +table arp filter { + chain input { type filter hook input priority 0; } + chain output { type filter hook output priority 0; } +} + +# bridge family, typical ebtables tables/chain layout +table bridge filter { + chain input { type filter hook input priority -200; } + chain forward { type filter hook forward priority -200; } + chain output { type filter hook output priority 200; } +} diff --git a/files/examples/sets_and_maps b/files/examples/sets_and_maps deleted file mode 100755 index 58369a3..0000000 --- a/files/examples/sets_and_maps +++ /dev/null @@ -1,53 +0,0 @@ -#! /sbin/nft -nf -# -# Examples of set and map usage -# - -# symbolic anonymous set definition built from symbolic singleton definitions -define int_if1 = eth0 -define int_if2 = eth1 -define int_ifs = { $int_if1, $int_if2 } - -define ext_if1 = eth2 -define ext_if2 = eth3 -define ext_ifs = { $ext_if1, $ext_if2 } - -# recursive symbolic anonymous set definition -define local_ifs = { $int_ifs, $ext_ifs } - -# symbolic anonymous set definition -define tcp_ports = { ssh, domain, https, 123-125 } - -delete table filter -table filter { - # named set of type iface_index - set local_ifs { - type iface_index - } - - # named map of type iface_index : ipv4_addr - map nat_map { - type iface_index : ipv4_addr - } - - map jump_map { - type iface_index : verdict - } - - chain input_1 { counter; } - chain input_2 { counter; } - chain input { - type filter hook input priority 0 - - # symbolic anonymous sets - meta iif $local_ifs tcp dport $tcp_ports counter - - # literal anonymous set - meta iif { eth0, eth1 } counter - - meta iif @local_ifs counter - meta iif vmap @jump_map - - #meta iif vmap { eth0 : jump input1, eth1 : jump input2 } - } -} diff --git a/files/examples/sets_and_maps.nft b/files/examples/sets_and_maps.nft new file mode 100755 index 0000000..dc50b8c --- /dev/null +++ b/files/examples/sets_and_maps.nft @@ -0,0 +1,54 @@ +#!/usr/sbin/nft -f + +# This example file shows how to use sets and maps in the nftables framework. +# This script is mean to be loaded with `nft -f <file>` +# For up-to-date information please visit https://wiki.nftables.org + +# symbolic anonymous set definition built from symbolic singleton definitions +define int_if1 = eth0 +define int_if2 = eth1 +define int_ifs = { $int_if1, $int_if2 } + +define ext_if1 = eth2 +define ext_if2 = eth3 +define ext_ifs = { $ext_if1, $ext_if2 } + +# recursive symbolic anonymous set definition +define local_ifs = { $int_ifs, $ext_ifs } + +# symbolic anonymous set definition +define tcp_ports = { ssh, domain, https, 123-125 } + +delete table filter +table filter { + # named set of type iface_index + set local_ifs { + type iface_index + } + + # named map of type iface_index : ipv4_addr + map nat_map { + type iface_index : ipv4_addr + } + + map jump_map { + type iface_index : verdict + } + + chain input_1 { counter; } + chain input_2 { counter; } + chain input { + type filter hook input priority 0 + + # symbolic anonymous sets + meta iif $local_ifs tcp dport $tcp_ports counter + + # literal anonymous set + meta iif { eth0, eth1 } counter + + meta iif @local_ifs counter + meta iif vmap @jump_map + + #meta iif vmap { eth0 : jump input1, eth1 : jump input2 } + } +} diff --git a/files/nftables/Makefile.am b/files/nftables/Makefile.am deleted file mode 100644 index 77d5c2a..0000000 --- a/files/nftables/Makefile.am +++ /dev/null @@ -1,16 +0,0 @@ - -pkgsysconfdir = ${sysconfdir}/nftables -dist_pkgsysconf_DATA = arp-filter \ - bridge-filter \ - inet-filter \ - ipv4-filter \ - ipv4-mangle \ - ipv4-nat \ - ipv4-raw \ - ipv6-filter \ - ipv6-mangle \ - ipv6-nat \ - ipv6-raw - -install-data-hook: - ${SED} -i 's|@sbindir[@]|${sbindir}/|g' ${DESTDIR}${pkgsysconfdir}/* diff --git a/files/nftables/arp-filter b/files/nftables/arp-filter deleted file mode 100644 index bcabf28..0000000 --- a/files/nftables/arp-filter +++ /dev/null @@ -1,6 +0,0 @@ -#! @sbindir@nft -f - -table arp filter { - chain input { type filter hook input priority 0; } - chain output { type filter hook output priority 0; } -} diff --git a/files/nftables/bridge-filter b/files/nftables/bridge-filter deleted file mode 100644 index 2add455..0000000 --- a/files/nftables/bridge-filter +++ /dev/null @@ -1,7 +0,0 @@ -#! @sbindir@nft -f - -table bridge filter { - chain input { type filter hook input priority -200; } - chain forward { type filter hook forward priority -200; } - chain output { type filter hook output priority 200; } -} diff --git a/files/nftables/inet-filter b/files/nftables/inet-filter deleted file mode 100644 index f572db5..0000000 --- a/files/nftables/inet-filter +++ /dev/null @@ -1,7 +0,0 @@ -#! @sbindir@nft -f - -table inet filter { - chain input { type filter hook input priority 0; } - chain forward { type filter hook forward priority 0; } - chain output { type filter hook output priority 0; } -} diff --git a/files/nftables/ipv4-filter b/files/nftables/ipv4-filter deleted file mode 100644 index a4ca7f2..0000000 --- a/files/nftables/ipv4-filter +++ /dev/null @@ -1,7 +0,0 @@ -#! @sbindir@nft -f - -table filter { - chain input { type filter hook input priority 0; } - chain forward { type filter hook forward priority 0; } - chain output { type filter hook output priority 0; } -} diff --git a/files/nftables/ipv4-mangle b/files/nftables/ipv4-mangle deleted file mode 100644 index be564a5..0000000 --- a/files/nftables/ipv4-mangle +++ /dev/null @@ -1,5 +0,0 @@ -#! @sbindir@nft -f - -table mangle { - chain output { type route hook output priority -150; } -} diff --git a/files/nftables/ipv4-nat b/files/nftables/ipv4-nat deleted file mode 100644 index 130a729..0000000 --- a/files/nftables/ipv4-nat +++ /dev/null @@ -1,8 +0,0 @@ -#! @sbindir@nft -f - -table nat { - chain prerouting { type nat hook prerouting priority -100; } - chain input { type nat hook input priority 100; } - chain output { type nat hook output priority -100; } - chain postrouting { type nat hook postrouting priority 100; } -} diff --git a/files/nftables/ipv4-raw b/files/nftables/ipv4-raw deleted file mode 100644 index 19773ee..0000000 --- a/files/nftables/ipv4-raw +++ /dev/null @@ -1,6 +0,0 @@ -#! @sbindir@nft -f - -table raw { - chain prerouting { type filter hook prerouting priority -300; } - chain output { type filter hook output priority -300; } -} diff --git a/files/nftables/ipv6-filter b/files/nftables/ipv6-filter deleted file mode 100644 index ce4d7de..0000000 --- a/files/nftables/ipv6-filter +++ /dev/null @@ -1,7 +0,0 @@ -#! @sbindir@nft -f - -table ip6 filter { - chain input { type filter hook input priority 0; } - chain forward { type filter hook forward priority 0; } - chain output { type filter hook output priority 0; } -} diff --git a/files/nftables/ipv6-mangle b/files/nftables/ipv6-mangle deleted file mode 100644 index fa32402..0000000 --- a/files/nftables/ipv6-mangle +++ /dev/null @@ -1,5 +0,0 @@ -#! @sbindir@nft -f - -table ip6 mangle { - chain output { type route hook output priority -150; } -} diff --git a/files/nftables/ipv6-nat b/files/nftables/ipv6-nat deleted file mode 100644 index e781686..0000000 --- a/files/nftables/ipv6-nat +++ /dev/null @@ -1,8 +0,0 @@ -#! @sbindir@nft -f - -table ip6 nat { - chain prerouting { type nat hook prerouting priority -100; } - chain input { type nat hook input priority 100; } - chain output { type nat hook output priority -100; } - chain postrouting { type nat hook postrouting priority 100; } -} diff --git a/files/nftables/ipv6-raw b/files/nftables/ipv6-raw deleted file mode 100644 index 5ee56a8..0000000 --- a/files/nftables/ipv6-raw +++ /dev/null @@ -1,6 +0,0 @@ -#! @sbindir@nft -f - -table ip6 raw { - chain prerouting { type filter hook prerouting priority -300; } - chain output { type filter hook output priority -300; } -} -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
