diff mbox series

[NFT,1/3] nftables: rearrange files and examples

Message ID 151947775832.13003.17309728665265256319.stgit@endurance
State Changes Requested
Delegated to: Pablo Neira
Headers show
Series [NFT,1/3] nftables: rearrange files and examples | expand

Commit Message

Arturo Borrero Gonzalez Feb. 24, 2018, 1:09 p.m. UTC 
Concatenate all family/hook examples into a single one.

Put all example files under examples/. Use the '.nft' prefix and mark
them as executable files. Use a static shebang declaration, since these
are examples meant for final systems and users.

While at it, refresh also the sets_and_maps.nft example file.

Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
---
 Makefile.am                           |    6 +--
 configure.ac                          |    2 -
 files/Makefile.am                     |    1 
 files/examples/families_and_hooks.nft |   79 +++++++++++++++++++++++++++++++++
 files/examples/sets_and_maps          |   53 ----------------------
 files/examples/sets_and_maps.nft      |   54 +++++++++++++++++++++++
 files/nftables/Makefile.am            |   16 -------
 files/nftables/arp-filter             |    6 ---
 files/nftables/bridge-filter          |    7 ---
 files/nftables/inet-filter            |    7 ---
 files/nftables/ipv4-filter            |    7 ---
 files/nftables/ipv4-mangle            |    5 --
 files/nftables/ipv4-nat               |    8 ---
 files/nftables/ipv4-raw               |    6 ---
 files/nftables/ipv6-filter            |    7 ---
 files/nftables/ipv6-mangle            |    5 --
 files/nftables/ipv6-nat               |    8 ---
 files/nftables/ipv6-raw               |    6 ---
 18 files changed, 136 insertions(+), 147 deletions(-)
 delete mode 100644 files/Makefile.am
 create mode 100755 files/examples/families_and_hooks.nft
 delete mode 100755 files/examples/sets_and_maps
 create mode 100755 files/examples/sets_and_maps.nft
 delete mode 100644 files/nftables/Makefile.am
 delete mode 100644 files/nftables/arp-filter
 delete mode 100644 files/nftables/bridge-filter
 delete mode 100644 files/nftables/inet-filter
 delete mode 100644 files/nftables/ipv4-filter
 delete mode 100644 files/nftables/ipv4-mangle
 delete mode 100644 files/nftables/ipv4-nat
 delete mode 100644 files/nftables/ipv4-raw
 delete mode 100644 files/nftables/ipv6-filter
 delete mode 100644 files/nftables/ipv6-mangle
 delete mode 100644 files/nftables/ipv6-nat
 delete mode 100644 files/nftables/ipv6-raw


--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html

Comments

Florian Westphal Feb. 24, 2018, 2:42 p.m. UTC | #1 
Arturo Borrero Gonzalez <arturo@netfilter.org> wrote:
> Concatenate all family/hook examples into a single one.

Oh?  I actually liked the 'atomic' versions, because i could
run nft -f /etc/nftables/ipv4-filter to get empty 'iptables' filter.
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
Pablo Neira Ayuso Feb. 24, 2018, 4:29 p.m. UTC | #2 
On Sat, Feb 24, 2018 at 03:42:01PM +0100, Florian Westphal wrote:
> Arturo Borrero Gonzalez <arturo@netfilter.org> wrote:
> > Concatenate all family/hook examples into a single one.
> 
> Oh?  I actually liked the 'atomic' versions, because i could
> run nft -f /etc/nftables/ipv4-filter to get empty 'iptables' filter.

Probably we can keep them around, and make a file
families_and_hooks.nft that uses "include".
--
To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in
the body of a message to majordomo@vger.kernel.org
More majordomo info at  http://vger.kernel.org/majordomo-info.html
diff mbox series

Patch

diff --git a/Makefile.am b/Makefile.am
index 10aa40f..5ef61be 100644
--- a/Makefile.am
+++ b/Makefile.am
@@ -2,7 +2,7 @@  ACLOCAL_AMFLAGS	= -I m4
 
 SUBDIRS = 	src	\
 		include	\
-		doc	\
-		files
+		doc
 
-EXTRA_DIST =	tests
+EXTRA_DIST =	tests	\
+		files
diff --git a/configure.ac b/configure.ac
index 1a38653..408a6bc 100644
--- a/configure.ac
+++ b/configure.ac
@@ -140,8 +140,6 @@  AC_CONFIG_FILES([					\
 		include/linux/netfilter_ipv4/Makefile	\
 		include/linux/netfilter_ipv6/Makefile	\
 		doc/Makefile				\
-		files/Makefile				\
-		files/nftables/Makefile			\
 		])
 AC_OUTPUT
 
diff --git a/files/Makefile.am b/files/Makefile.am
deleted file mode 100644
index a8394c0..0000000
--- a/files/Makefile.am
+++ /dev/null
@@ -1 +0,0 @@ 
-SUBDIRS = nftables
diff --git a/files/examples/families_and_hooks.nft b/files/examples/families_and_hooks.nft
new file mode 100755
index 0000000..b401610
--- /dev/null
+++ b/files/examples/families_and_hooks.nft
@@ -0,0 +1,79 @@ 
+#!/usr/sbin/nft -f
+
+# Here is an example of different families, hooks and priorities in the
+# nftables framework.
+# This script is mean to be loaded with `nft -f <file>`
+# For up-to-date information please visit https://wiki.nftables.org
+
+flush ruleset
+
+# native dual stack IPv4 & IPv6 family
+table inet filter {
+	chain input { type filter hook input priority 0; }
+	chain forward {	type filter hook forward priority 0; }
+	chain output { type filter hook output priority 0; }
+}
+
+# netdev family at ingress hook. Attached to a given NIC.
+table netdev filter {
+	chain eth0input { type filter hook ingress device lo priority 0; }
+}
+
+# IPv4 family, typical iptables tables/chains layout
+table filter {
+	chain input { type filter hook input priority 0; }
+	chain forward {	type filter hook forward priority 0; }
+	chain output { 	type filter hook output priority 0; }
+}
+
+table mangle {
+	chain output { type route hook output priority -150; }
+}
+
+table nat {
+	chain prerouting { type nat hook prerouting priority -100; }
+	chain input { type nat hook input priority 100; }
+	chain output { type nat hook output priority -100; }
+	chain postrouting { type nat hook postrouting priority 100; }
+}
+
+table raw {
+	chain prerouting { type filter hook prerouting priority -300; }
+	chain output { type filter hook output priority -300; }
+}
+
+# IPv6 family, typical iptables tables/chains layout
+table ip6 filter {
+	chain input		{ type filter hook input priority 0; }
+	chain forward		{ type filter hook forward priority 0; }
+	chain output		{ type filter hook output priority 0; }
+}
+
+table ip6 mangle {
+	chain output		{ type route hook output priority -150; }
+}
+
+table ip6 nat {
+	chain prerouting	{ type nat hook prerouting priority -100; }
+	chain input 		{ type nat hook input priority 100; }
+	chain output  		{ type nat hook output priority -100; }
+	chain postrouting	{ type nat hook postrouting priority 100; }
+}
+
+table ip6 raw {
+	chain prerouting	{ type filter hook prerouting priority -300; }
+	chain output		{ type filter hook output priority -300; }
+}
+
+# ARP family, typical arptables tables/chain layout
+table arp filter {
+	chain input		{ type filter hook input priority 0; }
+	chain output		{ type filter hook output priority 0; }
+}
+
+# bridge family, typical ebtables tables/chain layout
+table bridge filter {
+	chain input		{ type filter hook input priority -200; }
+	chain forward		{ type filter hook forward priority -200; }
+	chain output		{ type filter hook output priority 200; }
+}
diff --git a/files/examples/sets_and_maps b/files/examples/sets_and_maps
deleted file mode 100755
index 58369a3..0000000
--- a/files/examples/sets_and_maps
+++ /dev/null
@@ -1,53 +0,0 @@ 
-#! /sbin/nft -nf
-#
-# Examples of set and map usage
-#
-
-# symbolic anonymous set definition built from symbolic singleton definitions
-define int_if1	 = eth0
-define int_if2	 = eth1
-define int_ifs	 = { $int_if1, $int_if2 }
-
-define ext_if1	 = eth2
-define ext_if2	 = eth3
-define ext_ifs	 = { $ext_if1, $ext_if2 }
-
-# recursive symbolic anonymous set definition
-define local_ifs = { $int_ifs, $ext_ifs }
-
-# symbolic anonymous set definition
-define tcp_ports = { ssh, domain, https, 123-125 }
-
-delete table filter
-table filter {
-	# named set of type iface_index
-	set local_ifs {
-		type iface_index
-	}
-
-	# named map of type iface_index : ipv4_addr
-	map nat_map {
-		type iface_index : ipv4_addr
-	}
-
-	map jump_map {
-		type iface_index : verdict
-	}
-
-	chain input_1 { counter; }
-	chain input_2 { counter; }
-	chain input {
-		type filter hook input priority 0
-
-		# symbolic anonymous sets
-		meta iif $local_ifs tcp dport $tcp_ports counter
-
-		# literal anonymous set
-		meta iif { eth0, eth1 } counter
-
-		meta iif @local_ifs counter
-		meta iif vmap @jump_map
-
-		#meta iif vmap { eth0 : jump input1, eth1 : jump input2 }
-	}
-}
diff --git a/files/examples/sets_and_maps.nft b/files/examples/sets_and_maps.nft
new file mode 100755
index 0000000..dc50b8c
--- /dev/null
+++ b/files/examples/sets_and_maps.nft
@@ -0,0 +1,54 @@ 
+#!/usr/sbin/nft -f
+
+# This example file shows how to use sets and maps in the nftables framework.
+# This script is mean to be loaded with `nft -f <file>`
+# For up-to-date information please visit https://wiki.nftables.org
+
+# symbolic anonymous set definition built from symbolic singleton definitions
+define int_if1	 = eth0
+define int_if2	 = eth1
+define int_ifs	 = { $int_if1, $int_if2 }
+
+define ext_if1	 = eth2
+define ext_if2	 = eth3
+define ext_ifs	 = { $ext_if1, $ext_if2 }
+
+# recursive symbolic anonymous set definition
+define local_ifs = { $int_ifs, $ext_ifs }
+
+# symbolic anonymous set definition
+define tcp_ports = { ssh, domain, https, 123-125 }
+
+delete table filter
+table filter {
+	# named set of type iface_index
+	set local_ifs {
+		type iface_index
+	}
+
+	# named map of type iface_index : ipv4_addr
+	map nat_map {
+		type iface_index : ipv4_addr
+	}
+
+	map jump_map {
+		type iface_index : verdict
+	}
+
+	chain input_1 { counter; }
+	chain input_2 { counter; }
+	chain input {
+		type filter hook input priority 0
+
+		# symbolic anonymous sets
+		meta iif $local_ifs tcp dport $tcp_ports counter
+
+		# literal anonymous set
+		meta iif { eth0, eth1 } counter
+
+		meta iif @local_ifs counter
+		meta iif vmap @jump_map
+
+		#meta iif vmap { eth0 : jump input1, eth1 : jump input2 }
+	}
+}
diff --git a/files/nftables/Makefile.am b/files/nftables/Makefile.am
deleted file mode 100644
index 77d5c2a..0000000
--- a/files/nftables/Makefile.am
+++ /dev/null
@@ -1,16 +0,0 @@ 
-
-pkgsysconfdir = ${sysconfdir}/nftables
-dist_pkgsysconf_DATA =	arp-filter	\
-			bridge-filter	\
-			inet-filter	\
-			ipv4-filter	\
-			ipv4-mangle	\
-			ipv4-nat	\
-			ipv4-raw	\
-			ipv6-filter	\
-			ipv6-mangle	\
-			ipv6-nat	\
-			ipv6-raw
-
-install-data-hook:
-	${SED} -i 's|@sbindir[@]|${sbindir}/|g' ${DESTDIR}${pkgsysconfdir}/*
diff --git a/files/nftables/arp-filter b/files/nftables/arp-filter
deleted file mode 100644
index bcabf28..0000000
--- a/files/nftables/arp-filter
+++ /dev/null
@@ -1,6 +0,0 @@ 
-#! @sbindir@nft -f
-
-table arp filter {
-	chain input		{ type filter hook input priority 0; }
-	chain output		{ type filter hook output priority 0; }
-}
diff --git a/files/nftables/bridge-filter b/files/nftables/bridge-filter
deleted file mode 100644
index 2add455..0000000
--- a/files/nftables/bridge-filter
+++ /dev/null
@@ -1,7 +0,0 @@ 
-#! @sbindir@nft -f
-
-table bridge filter {
-	chain input		{ type filter hook input priority -200; }
-	chain forward		{ type filter hook forward priority -200; }
-	chain output		{ type filter hook output priority 200; }
-}
diff --git a/files/nftables/inet-filter b/files/nftables/inet-filter
deleted file mode 100644
index f572db5..0000000
--- a/files/nftables/inet-filter
+++ /dev/null
@@ -1,7 +0,0 @@ 
-#! @sbindir@nft -f
-
-table inet filter {
-	chain input		{ type filter hook input priority 0; }
-	chain forward		{ type filter hook forward priority 0; }
-	chain output		{ type filter hook output priority 0; }
-}
diff --git a/files/nftables/ipv4-filter b/files/nftables/ipv4-filter
deleted file mode 100644
index a4ca7f2..0000000
--- a/files/nftables/ipv4-filter
+++ /dev/null
@@ -1,7 +0,0 @@ 
-#! @sbindir@nft -f
-
-table filter {
-	chain input		{ type filter hook input priority 0; }
-	chain forward		{ type filter hook forward priority 0; }
-	chain output		{ type filter hook output priority 0; }
-}
diff --git a/files/nftables/ipv4-mangle b/files/nftables/ipv4-mangle
deleted file mode 100644
index be564a5..0000000
--- a/files/nftables/ipv4-mangle
+++ /dev/null
@@ -1,5 +0,0 @@ 
-#! @sbindir@nft -f
-
-table mangle {
-	chain output		{ type route hook output priority -150; }
-}
diff --git a/files/nftables/ipv4-nat b/files/nftables/ipv4-nat
deleted file mode 100644
index 130a729..0000000
--- a/files/nftables/ipv4-nat
+++ /dev/null
@@ -1,8 +0,0 @@ 
-#! @sbindir@nft -f
-
-table nat {
-	chain prerouting	{ type nat hook prerouting priority -100; }
-	chain input		{ type nat hook input priority 100; }
-	chain output		{ type nat hook output priority -100; }
-	chain postrouting	{ type nat hook postrouting priority 100; }
-}
diff --git a/files/nftables/ipv4-raw b/files/nftables/ipv4-raw
deleted file mode 100644
index 19773ee..0000000
--- a/files/nftables/ipv4-raw
+++ /dev/null
@@ -1,6 +0,0 @@ 
-#! @sbindir@nft -f
-
-table raw {
-	chain prerouting	{ type filter hook prerouting priority -300; }
-	chain output		{ type filter hook output priority -300; }
-}
diff --git a/files/nftables/ipv6-filter b/files/nftables/ipv6-filter
deleted file mode 100644
index ce4d7de..0000000
--- a/files/nftables/ipv6-filter
+++ /dev/null
@@ -1,7 +0,0 @@ 
-#! @sbindir@nft -f
-
-table ip6 filter {
-	chain input		{ type filter hook input priority 0; }
-	chain forward		{ type filter hook forward priority 0; }
-	chain output		{ type filter hook output priority 0; }
-}
diff --git a/files/nftables/ipv6-mangle b/files/nftables/ipv6-mangle
deleted file mode 100644
index fa32402..0000000
--- a/files/nftables/ipv6-mangle
+++ /dev/null
@@ -1,5 +0,0 @@ 
-#! @sbindir@nft -f
-
-table ip6 mangle {
-	chain output		{ type route hook output priority -150; }
-}
diff --git a/files/nftables/ipv6-nat b/files/nftables/ipv6-nat
deleted file mode 100644
index e781686..0000000
--- a/files/nftables/ipv6-nat
+++ /dev/null
@@ -1,8 +0,0 @@ 
-#! @sbindir@nft -f
-
-table ip6 nat {
-	chain prerouting	{ type nat hook prerouting priority -100; }
-	chain input 		{ type nat hook input priority 100; }
-	chain output  		{ type nat hook output priority -100; }
-	chain postrouting	{ type nat hook postrouting priority 100; }
-}
diff --git a/files/nftables/ipv6-raw b/files/nftables/ipv6-raw
deleted file mode 100644
index 5ee56a8..0000000
--- a/files/nftables/ipv6-raw
+++ /dev/null
@@ -1,6 +0,0 @@ 
-#! @sbindir@nft -f
-
-table ip6 raw {
-	chain prerouting	{ type filter hook prerouting priority -300; }
-	chain output		{ type filter hook output priority -300; }
-}