Concatenate all family/hook examples into a single one by means of includes.
Put all example files under examples/. Use the '.nft' prefix and mark
them as executable files. Use a static shebang declaration, since these
are examples meant for final systems and users.
While at it, refresh also the sets_and_maps.nft example file and also
add the 'netdev-ingress.nft' example file.
Signed-off-by: Arturo Borrero Gonzalez <arturo@xxxxxxxxxxxxx>
---
v2: address comments by Florian & Pablo. Fix some typos
Makefile.am | 6 ++--
configure.ac | 2 -
files/Makefile.am | 1 -
files/examples/arp-filter.nft | 6 ++++
files/examples/bridge-filter.nft | 7 ++++
files/examples/families_and_hooks.nft | 32 ++++++++++++++++++++
files/examples/inet-filter.nft | 7 ++++
files/examples/ipv4-filter.nft | 7 ++++
files/examples/ipv4-mangle.nft | 5 +++
files/examples/ipv4-nat.nft | 8 +++++
files/examples/ipv4-raw.nft | 6 ++++
files/examples/ipv6-filter.nft | 7 ++++
files/examples/ipv6-mangle.nft | 5 +++
files/examples/ipv6-nat.nft | 8 +++++
files/examples/ipv6-raw.nft | 6 ++++
files/examples/netdev-ingress.nft | 7 ++++
files/examples/sets_and_maps | 53 --------------------------------
files/examples/sets_and_maps.nft | 54 +++++++++++++++++++++++++++++++++
files/nftables/Makefile.am | 16 ----------
files/nftables/arp-filter | 6 ----
files/nftables/bridge-filter | 7 ----
files/nftables/inet-filter | 7 ----
files/nftables/ipv4-filter | 7 ----
files/nftables/ipv4-mangle | 5 ---
files/nftables/ipv4-nat | 8 -----
files/nftables/ipv4-raw | 6 ----
files/nftables/ipv6-filter | 7 ----
files/nftables/ipv6-mangle | 5 ---
files/nftables/ipv6-nat | 8 -----
files/nftables/ipv6-raw | 6 ----
30 files changed, 168 insertions(+), 147 deletions(-)
delete mode 100644 files/Makefile.am
create mode 100755 files/examples/arp-filter.nft
create mode 100755 files/examples/bridge-filter.nft
create mode 100755 files/examples/families_and_hooks.nft
create mode 100755 files/examples/inet-filter.nft
create mode 100755 files/examples/ipv4-filter.nft
create mode 100755 files/examples/ipv4-mangle.nft
create mode 100755 files/examples/ipv4-nat.nft
create mode 100755 files/examples/ipv4-raw.nft
create mode 100755 files/examples/ipv6-filter.nft
create mode 100755 files/examples/ipv6-mangle.nft
create mode 100755 files/examples/ipv6-nat.nft
create mode 100755 files/examples/ipv6-raw.nft
create mode 100755 files/examples/netdev-ingress.nft
delete mode 100755 files/examples/sets_and_maps
create mode 100755 files/examples/sets_and_maps.nft
delete mode 100644 files/nftables/Makefile.am
delete mode 100644 files/nftables/arp-filter
delete mode 100644 files/nftables/bridge-filter
delete mode 100644 files/nftables/inet-filter
delete mode 100644 files/nftables/ipv4-filter
delete mode 100644 files/nftables/ipv4-mangle
delete mode 100644 files/nftables/ipv4-nat
delete mode 100644 files/nftables/ipv4-raw
delete mode 100644 files/nftables/ipv6-filter
delete mode 100644 files/nftables/ipv6-mangle
delete mode 100644 files/nftables/ipv6-nat
delete mode 100644 files/nftables/ipv6-raw
diff --git a/Makefile.am b/Makefile.am
index 10aa40f..5ef61be 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2,7 +2,7 @@ ACLOCAL_AMFLAGS = -I m4
SUBDIRS = src \
include \
- doc \
- files
+ doc
-EXTRA_DIST = tests
+EXTRA_DIST = tests \
+ files
diff --git a/configure.ac b/configure.ac
index 1a38653..408a6bc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -140,8 +140,6 @@ AC_CONFIG_FILES([ \
include/linux/netfilter_ipv4/Makefile \
include/linux/netfilter_ipv6/Makefile \
doc/Makefile \
- files/Makefile \
- files/nftables/Makefile \
])
AC_OUTPUT
diff --git a/files/Makefile.am b/files/Makefile.am
deleted file mode 100644
index a8394c0..0000000
--- a/files/Makefile.am
+++ /dev/null
@@ -1 +0,0 @@
-SUBDIRS = nftables
diff --git a/files/examples/arp-filter.nft b/files/examples/arp-filter.nft
new file mode 100755
index 0000000..13166bd
--- /dev/null
+++ b/files/examples/arp-filter.nft
@@ -0,0 +1,6 @@
+#!/usr/sbin/nft -f
+
+table arp filter {
+ chain input { type filter hook input priority 0; }
+ chain output { type filter hook output priority 0; }
+}
diff --git a/files/examples/bridge-filter.nft b/files/examples/bridge-filter.nft
new file mode 100755
index 0000000..7e3cad4
--- /dev/null
+++ b/files/examples/bridge-filter.nft
@@ -0,0 +1,7 @@
+#!/usr/sbin/nft -f
+
+table bridge filter {
+ chain input { type filter hook input priority -200; }
+ chain forward { type filter hook forward priority -200; }
+ chain output { type filter hook output priority 200; }
+}
diff --git a/files/examples/families_and_hooks.nft b/files/examples/families_and_hooks.nft
new file mode 100755
index 0000000..e6d9ee2
--- /dev/null
+++ b/files/examples/families_and_hooks.nft
@@ -0,0 +1,32 @@
+#!/usr/sbin/nft -f
+
+# Here is an example of different families, hooks and priorities in the
+# nftables framework, all mixed together.
+# This script is mean to be loaded with `nft -f <file>`
+# For up-to-date information please visit https://wiki.nftables.org
+
+flush ruleset
+
+# native dual stack IPv4 & IPv6 family
+include "./inet-filter.nft"
+
+# netdev family at ingress hook. Attached to a given NIC
+include "./netdev-ingress.nft"
+
+# IPv4 family, typical iptables tables/chains layout
+include "./ipv4-filter.nft"
+include "./ipv4-mangle.nft"
+include "./ipv4-nat.nft"
+include "./ipv4-raw.nft"
+
+# IPv6 family, typical ip6tables tables/chains layout
+include "./ipv6-filter.nft"
+include "./ipv6-mangle.nft"
+include "./ipv6-nat.nft"
+include "./ipv6-raw.nft"
+
+# ARP family, typical arptables tables/chain layout
+include "./arp-filter.nft"
+
+# bridge family, typical ebtables tables/chain layout
+include "./bridge-filter.nft"
diff --git a/files/examples/inet-filter.nft b/files/examples/inet-filter.nft
new file mode 100755
index 0000000..e5c8c54
--- /dev/null
+++ b/files/examples/inet-filter.nft
@@ -0,0 +1,7 @@
+#!/usr/sbin/nft -f
+
+table inet filter {
+ chain input { type filter hook input priority 0; }
+ chain forward { type filter hook forward priority 0; }
+ chain output { type filter hook output priority 0; }
+}
diff --git a/files/examples/ipv4-filter.nft b/files/examples/ipv4-filter.nft
new file mode 100755
index 0000000..73b11bc
--- /dev/null
+++ b/files/examples/ipv4-filter.nft
@@ -0,0 +1,7 @@
+#!/usr/sbin/nft -f
+
+table filter {
+ chain input { type filter hook input priority 0; }
+ chain forward { type filter hook forward priority 0; }
+ chain output { type filter hook output priority 0; }
+}
diff --git a/files/examples/ipv4-mangle.nft b/files/examples/ipv4-mangle.nft
new file mode 100755
index 0000000..2827ddf
--- /dev/null
+++ b/files/examples/ipv4-mangle.nft
@@ -0,0 +1,5 @@
+#!/usr/sbin/nft -f
+
+table mangle {
+ chain output { type route hook output priority -150; }
+}
diff --git a/files/examples/ipv4-nat.nft b/files/examples/ipv4-nat.nft
new file mode 100755
index 0000000..fd3bb40
--- /dev/null
+++ b/files/examples/ipv4-nat.nft
@@ -0,0 +1,8 @@
+#!/usr/sbin/nft -f
+
+table nat {
+ chain prerouting { type nat hook prerouting priority -100; }
+ chain input { type nat hook input priority 100; }
+ chain output { type nat hook output priority -100; }
+ chain postrouting { type nat hook postrouting priority 100; }
+}
diff --git a/files/examples/ipv4-raw.nft b/files/examples/ipv4-raw.nft
new file mode 100755
index 0000000..91fc138
--- /dev/null
+++ b/files/examples/ipv4-raw.nft
@@ -0,0 +1,6 @@
+#!/usr/sbin/nft -f
+
+table raw {
+ chain prerouting { type filter hook prerouting priority -300; }
+ chain output { type filter hook output priority -300; }
+}
diff --git a/files/examples/ipv6-filter.nft b/files/examples/ipv6-filter.nft
new file mode 100755
index 0000000..21f06a3
--- /dev/null
+++ b/files/examples/ipv6-filter.nft
@@ -0,0 +1,7 @@
+#!/usr/sbin/nft -f
+
+table ip6 filter {
+ chain input { type filter hook input priority 0; }
+ chain forward { type filter hook forward priority 0; }
+ chain output { type filter hook output priority 0; }
+}
diff --git a/files/examples/ipv6-mangle.nft b/files/examples/ipv6-mangle.nft
new file mode 100755
index 0000000..e92dbef
--- /dev/null
+++ b/files/examples/ipv6-mangle.nft
@@ -0,0 +1,5 @@
+#!/usr/sbin/nft -f
+
+table ip6 mangle {
+ chain output { type route hook output priority -150; }
+}
diff --git a/files/examples/ipv6-nat.nft b/files/examples/ipv6-nat.nft
new file mode 100755
index 0000000..7437c19
--- /dev/null
+++ b/files/examples/ipv6-nat.nft
@@ -0,0 +1,8 @@
+#!/usr/sbin/nft -f
+
+table ip6 nat {
+ chain prerouting { type nat hook prerouting priority -100; }
+ chain input { type nat hook input priority 100; }
+ chain output { type nat hook output priority -100; }
+ chain postrouting { type nat hook postrouting priority 100; }
+}
diff --git a/files/examples/ipv6-raw.nft b/files/examples/ipv6-raw.nft
new file mode 100755
index 0000000..812703a
--- /dev/null
+++ b/files/examples/ipv6-raw.nft
@@ -0,0 +1,6 @@
+#!/usr/sbin/nft -f
+
+table ip6 raw {
+ chain prerouting { type filter hook prerouting priority -300; }
+ chain output { type filter hook output priority -300; }
+}
diff --git a/files/examples/netdev-ingress.nft b/files/examples/netdev-ingress.nft
new file mode 100755
index 0000000..2585d15
--- /dev/null
+++ b/files/examples/netdev-ingress.nft
@@ -0,0 +1,7 @@
+#!/usr/sbin/nft -f
+
+# mind the NIC, it must exists
+table netdev filter {
+ chain loinput { type filter hook ingress device lo priority 0; }
+}
+
diff --git a/files/examples/sets_and_maps b/files/examples/sets_and_maps
deleted file mode 100755
index 58369a3..0000000
--- a/files/examples/sets_and_maps
+++ /dev/null
@@ -1,53 +0,0 @@
-#! /sbin/nft -nf
-#
-# Examples of set and map usage
-#
-
-# symbolic anonymous set definition built from symbolic singleton definitions
-define int_if1 = eth0
-define int_if2 = eth1
-define int_ifs = { $int_if1, $int_if2 }
-
-define ext_if1 = eth2
-define ext_if2 = eth3
-define ext_ifs = { $ext_if1, $ext_if2 }
-
-# recursive symbolic anonymous set definition
-define local_ifs = { $int_ifs, $ext_ifs }
-
-# symbolic anonymous set definition
-define tcp_ports = { ssh, domain, https, 123-125 }
-
-delete table filter
-table filter {
- # named set of type iface_index
- set local_ifs {
- type iface_index
- }
-
- # named map of type iface_index : ipv4_addr
- map nat_map {
- type iface_index : ipv4_addr
- }
-
- map jump_map {
- type iface_index : verdict
- }
-
- chain input_1 { counter; }
- chain input_2 { counter; }
- chain input {
- type filter hook input priority 0
-
- # symbolic anonymous sets
- meta iif $local_ifs tcp dport $tcp_ports counter
-
- # literal anonymous set
- meta iif { eth0, eth1 } counter
-
- meta iif @local_ifs counter
- meta iif vmap @jump_map
-
- #meta iif vmap { eth0 : jump input1, eth1 : jump input2 }
- }
-}
diff --git a/files/examples/sets_and_maps.nft b/files/examples/sets_and_maps.nft
new file mode 100755
index 0000000..f5157b3
--- /dev/null
+++ b/files/examples/sets_and_maps.nft
@@ -0,0 +1,54 @@
+#!/usr/sbin/nft -f
+
+# This example file shows how to use sets and maps in the nftables framework.
+# This script is meant to be loaded with `nft -f <file>`
+# For up-to-date information please visit https://wiki.nftables.org
+
+# symbolic anonymous set definition built from symbolic singleton definitions
+define int_if1 = eth0
+define int_if2 = eth1
+define int_ifs = { $int_if1, $int_if2 }
+
+define ext_if1 = eth2
+define ext_if2 = eth3
+define ext_ifs = { $ext_if1, $ext_if2 }
+
+# recursive symbolic anonymous set definition
+define local_ifs = { $int_ifs, $ext_ifs }
+
+# symbolic anonymous set definition
+define tcp_ports = { ssh, domain, https, 123-125 }
+
+delete table filter
+table filter {
+ # named set of type iface_index
+ set local_ifs {
+ type iface_index
+ }
+
+ # named map of type iface_index : ipv4_addr
+ map nat_map {
+ type iface_index : ipv4_addr
+ }
+
+ map jump_map {
+ type iface_index : verdict
+ }
+
+ chain input_1 { counter; }
+ chain input_2 { counter; }
+ chain input {
+ type filter hook input priority 0
+
+ # symbolic anonymous sets
+ meta iif $local_ifs tcp dport $tcp_ports counter
+
+ # literal anonymous set
+ meta iif { eth0, eth1 } counter
+
+ meta iif @local_ifs counter
+ meta iif vmap @jump_map
+
+ #meta iif vmap { eth0 : jump input1, eth1 : jump input2 }
+ }
+}
diff --git a/files/nftables/Makefile.am b/files/nftables/Makefile.am
deleted file mode 100644
index 77d5c2a..0000000
--- a/files/nftables/Makefile.am
+++ /dev/null
@@ -1,16 +0,0 @@
-
-pkgsysconfdir = ${sysconfdir}/nftables
-dist_pkgsysconf_DATA = arp-filter \
- bridge-filter \
- inet-filter \
- ipv4-filter \
- ipv4-mangle \
- ipv4-nat \
- ipv4-raw \
- ipv6-filter \
- ipv6-mangle \
- ipv6-nat \
- ipv6-raw
-
-install-data-hook:
- ${SED} -i 's|@sbindir[@]|${sbindir}/|g' ${DESTDIR}${pkgsysconfdir}/*
diff --git a/files/nftables/arp-filter b/files/nftables/arp-filter
deleted file mode 100644
index bcabf28..0000000
--- a/files/nftables/arp-filter
+++ /dev/null
@@ -1,6 +0,0 @@
-#! @sbindir@nft -f
-
-table arp filter {
- chain input { type filter hook input priority 0; }
- chain output { type filter hook output priority 0; }
-}
diff --git a/files/nftables/bridge-filter b/files/nftables/bridge-filter
deleted file mode 100644
index 2add455..0000000
--- a/files/nftables/bridge-filter
+++ /dev/null
@@ -1,7 +0,0 @@
-#! @sbindir@nft -f
-
-table bridge filter {
- chain input { type filter hook input priority -200; }
- chain forward { type filter hook forward priority -200; }
- chain output { type filter hook output priority 200; }
-}
diff --git a/files/nftables/inet-filter b/files/nftables/inet-filter
deleted file mode 100644
index f572db5..0000000
--- a/files/nftables/inet-filter
+++ /dev/null
@@ -1,7 +0,0 @@
-#! @sbindir@nft -f
-
-table inet filter {
- chain input { type filter hook input priority 0; }
- chain forward { type filter hook forward priority 0; }
- chain output { type filter hook output priority 0; }
-}
diff --git a/files/nftables/ipv4-filter b/files/nftables/ipv4-filter
deleted file mode 100644
index a4ca7f2..0000000
--- a/files/nftables/ipv4-filter
+++ /dev/null
@@ -1,7 +0,0 @@
-#! @sbindir@nft -f
-
-table filter {
- chain input { type filter hook input priority 0; }
- chain forward { type filter hook forward priority 0; }
- chain output { type filter hook output priority 0; }
-}
diff --git a/files/nftables/ipv4-mangle b/files/nftables/ipv4-mangle
deleted file mode 100644
index be564a5..0000000
--- a/files/nftables/ipv4-mangle
+++ /dev/null
@@ -1,5 +0,0 @@
-#! @sbindir@nft -f
-
-table mangle {
- chain output { type route hook output priority -150; }
-}
diff --git a/files/nftables/ipv4-nat b/files/nftables/ipv4-nat
deleted file mode 100644
index 130a729..0000000
--- a/files/nftables/ipv4-nat
+++ /dev/null
@@ -1,8 +0,0 @@
-#! @sbindir@nft -f
-
-table nat {
- chain prerouting { type nat hook prerouting priority -100; }
- chain input { type nat hook input priority 100; }
- chain output { type nat hook output priority -100; }
- chain postrouting { type nat hook postrouting priority 100; }
-}
diff --git a/files/nftables/ipv4-raw b/files/nftables/ipv4-raw
deleted file mode 100644
index 19773ee..0000000
--- a/files/nftables/ipv4-raw
+++ /dev/null
@@ -1,6 +0,0 @@
-#! @sbindir@nft -f
-
-table raw {
- chain prerouting { type filter hook prerouting priority -300; }
- chain output { type filter hook output priority -300; }
-}
diff --git a/files/nftables/ipv6-filter b/files/nftables/ipv6-filter
deleted file mode 100644
index ce4d7de..0000000
--- a/files/nftables/ipv6-filter
+++ /dev/null
@@ -1,7 +0,0 @@
-#! @sbindir@nft -f
-
-table ip6 filter {
- chain input { type filter hook input priority 0; }
- chain forward { type filter hook forward priority 0; }
- chain output { type filter hook output priority 0; }
-}
diff --git a/files/nftables/ipv6-mangle b/files/nftables/ipv6-mangle
deleted file mode 100644
index fa32402..0000000
--- a/files/nftables/ipv6-mangle
+++ /dev/null
@@ -1,5 +0,0 @@
-#! @sbindir@nft -f
-
-table ip6 mangle {
- chain output { type route hook output priority -150; }
-}
diff --git a/files/nftables/ipv6-nat b/files/nftables/ipv6-nat
deleted file mode 100644
index e781686..0000000
--- a/files/nftables/ipv6-nat
+++ /dev/null
@@ -1,8 +0,0 @@
-#! @sbindir@nft -f
-
-table ip6 nat {
- chain prerouting { type nat hook prerouting priority -100; }
- chain input { type nat hook input priority 100; }
- chain output { type nat hook output priority -100; }
- chain postrouting { type nat hook postrouting priority 100; }
-}
diff --git a/files/nftables/ipv6-raw b/files/nftables/ipv6-raw
deleted file mode 100644
index 5ee56a8..0000000
--- a/files/nftables/ipv6-raw
+++ /dev/null
@@ -1,6 +0,0 @@
-#! @sbindir@nft -f
-
-table ip6 raw {
- chain prerouting { type filter hook prerouting priority -300; }
- chain output { type filter hook output priority -300; }
-}
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
