| Message ID | 151950636353.13955.12971280407018844575.stgit@endurance |
|---|---|
| State | Accepted |
| Delegated to: | Pablo Neira |
| Headers | show |
| Series | [nft,v2,1/3] nftables: rearrange files and examples | expand |
Arturo Borrero Gonzalez <arturo@netfilter.org> wrote: > Concatenate all family/hook examples into a single one by means of includes. > > Put all example files under examples/. Use the '.nft' prefix and mark > them as executable files. Use a static shebang declaration, since these > are examples meant for final systems and users. > > While at it, refresh also the sets_and_maps.nft example file and also > add the 'netdev-ingress.nft' example file. Looks good, two more nits: Any reason why this doesn't use #! @sbindir@nft -f ? I don't mind, just asking, feel free to push this. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 24 February 2018 at 23:07, Florian Westphal <fw@strlen.de> wrote: > Arturo Borrero Gonzalez <arturo@netfilter.org> wrote: >> Concatenate all family/hook examples into a single one by means of includes. >> >> Put all example files under examples/. Use the '.nft' prefix and mark >> them as executable files. Use a static shebang declaration, since these >> are examples meant for final systems and users. >> >> While at it, refresh also the sets_and_maps.nft example file and also >> add the 'netdev-ingress.nft' example file. > > Looks good, two more nits: > > Any reason why this doesn't use > #! @sbindir@nft -f ? > I didn't expect we were using these files for development activities. My idea was to use just the static shebang for the purpose of being an example in final users systems (which would likely use /usr/sbin/nft). Also, this way the examples are readable & copy-ready for users in both the git repo and the tarball. (with static I mean: don't have it replaced by make). -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
Arturo Borrero Gonzalez <arturo@netfilter.org> wrote: > On 24 February 2018 at 23:07, Florian Westphal <fw@strlen.de> wrote: > > Any reason why this doesn't use > > #! @sbindir@nft -f ? > I didn't expect we were using these files for development activities. ok, fair enough, was just curious. Please push this, thanks! -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sat, Feb 24, 2018 at 10:06:19PM +0100, Arturo Borrero Gonzalez wrote: > Concatenate all family/hook examples into a single one by means of includes. > > Put all example files under examples/. Use the '.nft' prefix and mark > them as executable files. Use a static shebang declaration, since these > are examples meant for final systems and users. > > While at it, refresh also the sets_and_maps.nft example file and also > add the 'netdev-ingress.nft' example file. Applied, thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sat, Feb 24, 2018 at 10:06:19PM +0100, Arturo Borrero Gonzalez wrote: > Concatenate all family/hook examples into a single one by means of includes. > > Put all example files under examples/. Use the '.nft' prefix and mark > them as executable files. Use a static shebang declaration, since these > are examples meant for final systems and users. > > While at it, refresh also the sets_and_maps.nft example file and also > add the 'netdev-ingress.nft' example file. > > Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> > --- > v2: address comments by Florian & Pablo. Fix some typos [...] Up to Release 0.8.2, it used to be the case that after *make install*, these example files would show up in /etc/nftables. Now they don't. I think this is a regression which needs to be addressed, Cheers ... Duncan. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On 10 March 2018 at 09:28, Duncan Roe <duncan_roe@optusnet.com.au> wrote: > > Up to Release 0.8.2, it used to be the case that after *make install*, these > example files would show up in /etc/nftables. > > Now they don't. > > I think this is a regression which needs to be addressed, We wanted to provide a collection of examples of what nftables can do, for people who may be external to the project. More examples may be added in the short term, I would like to see that directory full of nft scripts. I'm not sure if we should install all of them to /etc/ with make install. Any proposal? -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
On Sat, Mar 10, 2018 at 02:19:33PM +0100, Arturo Borrero Gonzalez wrote: > On 10 March 2018 at 09:28, Duncan Roe <duncan_roe@optusnet.com.au> wrote: > > # > Up to Release 0.8.2, it used to be the case that after *make install*, these > > example files would show up in /etc/nftables. > > > > Now they don't. > > > > I think this is a regression which needs to be addressed, > > We wanted to provide a collection of examples of what nftables can do, > for people who may be external to the project. > More examples may be added in the short term, I would like to see that > directory full of nft scripts. > > I'm not sure if we should install all of them to /etc/ with make > install. Any proposal? Hi Arturo, Your question deserves a well-considered response. I'm still trying to get my head around one, but in the meantime, since it's been a week since your post, here are some initial observations. My initial reaction was that if /etc disappears then distributors are unlikely to replace it. Unless they do, the example files will never get to their target audience. I suggest an absolute minimum action would be to restore /etc as-was before the next release. I say release because most of the time that's what a distributor will use. I'm thinking in particular of the upcoming Slackware 15.0. Slackware 14.2 came with nftables-0.6, about 18 months ago. My concern is, we need to help steer new nftables users in a good direction. I think we need a README in /etc at least. For the original files (with the addition of netdev-ingress), README should make it clear that these are *templates*. Actually I would re-format them to look the way "nft list ruleset" displays them, e.g.: > 11:36:51# cat ipv4-filter > #! /usr/sbin/nft -f > > table filter { > chain input { type filter hook input priority 0; } > chain forward { type filter hook forward priority 0; } > chain output { type filter hook output priority 0; } > } > 11:42:33# ./ipv4-filter > 11:42:41# nft list ruleset > table ip filter { > chain input { > type filter hook input priority 0; policy accept; > } > > chain forward { > type filter hook forward priority 0; policy accept; > } > > chain output { > type filter hook output priority 0; policy accept; > } > } For this demo I chmod'd a+x ipv4-filter. But I would caution against distributing the files with execute access. We don't want to encourage people to use them as-is, because adding a rule afterwards is cumbersome compared to adding it before the trailing curly bracket of its chain. If you use the output from nft list ruleset as the template, you could insert a comment like "# insert rules here" after each "type" line. I'm not advocating to do that - it's just a suggestion. Moving up from the reinstate as-was option, these old files and netdev-ingress form a set of chain templates. I think this tree structure would suit well: /etc/chain_templates/{*-filter,*-mangle,*-nat,*-raw,*-ingress,README} I'll have to leave the other new files for discussion in another email, Cheers ... Duncan. -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html
diff --git a/Makefile.am b/Makefile.am index 10aa40f..5ef61be 100644 --- a/Makefile.am +++ b/Makefile.am @@ -2,7 +2,7 @@ ACLOCAL_AMFLAGS = -I m4 SUBDIRS = src \ include \ - doc \ - files + doc -EXTRA_DIST = tests +EXTRA_DIST = tests \ + files diff --git a/configure.ac b/configure.ac index 1a38653..408a6bc 100644 --- a/configure.ac +++ b/configure.ac @@ -140,8 +140,6 @@ AC_CONFIG_FILES([ \ include/linux/netfilter_ipv4/Makefile \ include/linux/netfilter_ipv6/Makefile \ doc/Makefile \ - files/Makefile \ - files/nftables/Makefile \ ]) AC_OUTPUT diff --git a/files/Makefile.am b/files/Makefile.am deleted file mode 100644 index a8394c0..0000000 --- a/files/Makefile.am +++ /dev/null @@ -1 +0,0 @@ -SUBDIRS = nftables diff --git a/files/examples/arp-filter.nft b/files/examples/arp-filter.nft new file mode 100755 index 0000000..13166bd --- /dev/null +++ b/files/examples/arp-filter.nft @@ -0,0 +1,6 @@ +#!/usr/sbin/nft -f + +table arp filter { + chain input { type filter hook input priority 0; } + chain output { type filter hook output priority 0; } +} diff --git a/files/examples/bridge-filter.nft b/files/examples/bridge-filter.nft new file mode 100755 index 0000000..7e3cad4 --- /dev/null +++ b/files/examples/bridge-filter.nft @@ -0,0 +1,7 @@ +#!/usr/sbin/nft -f + +table bridge filter { + chain input { type filter hook input priority -200; } + chain forward { type filter hook forward priority -200; } + chain output { type filter hook output priority 200; } +} diff --git a/files/examples/families_and_hooks.nft b/files/examples/families_and_hooks.nft new file mode 100755 index 0000000..e6d9ee2 --- /dev/null +++ b/files/examples/families_and_hooks.nft @@ -0,0 +1,32 @@ +#!/usr/sbin/nft -f + +# Here is an example of different families, hooks and priorities in the +# nftables framework, all mixed together. +# This script is mean to be loaded with `nft -f <file>` +# For up-to-date information please visit https://wiki.nftables.org + +flush ruleset + +# native dual stack IPv4 & IPv6 family +include "./inet-filter.nft" + +# netdev family at ingress hook. Attached to a given NIC +include "./netdev-ingress.nft" + +# IPv4 family, typical iptables tables/chains layout +include "./ipv4-filter.nft" +include "./ipv4-mangle.nft" +include "./ipv4-nat.nft" +include "./ipv4-raw.nft" + +# IPv6 family, typical ip6tables tables/chains layout +include "./ipv6-filter.nft" +include "./ipv6-mangle.nft" +include "./ipv6-nat.nft" +include "./ipv6-raw.nft" + +# ARP family, typical arptables tables/chain layout +include "./arp-filter.nft" + +# bridge family, typical ebtables tables/chain layout +include "./bridge-filter.nft" diff --git a/files/examples/inet-filter.nft b/files/examples/inet-filter.nft new file mode 100755 index 0000000..e5c8c54 --- /dev/null +++ b/files/examples/inet-filter.nft @@ -0,0 +1,7 @@ +#!/usr/sbin/nft -f + +table inet filter { + chain input { type filter hook input priority 0; } + chain forward { type filter hook forward priority 0; } + chain output { type filter hook output priority 0; } +} diff --git a/files/examples/ipv4-filter.nft b/files/examples/ipv4-filter.nft new file mode 100755 index 0000000..73b11bc --- /dev/null +++ b/files/examples/ipv4-filter.nft @@ -0,0 +1,7 @@ +#!/usr/sbin/nft -f + +table filter { + chain input { type filter hook input priority 0; } + chain forward { type filter hook forward priority 0; } + chain output { type filter hook output priority 0; } +} diff --git a/files/examples/ipv4-mangle.nft b/files/examples/ipv4-mangle.nft new file mode 100755 index 0000000..2827ddf --- /dev/null +++ b/files/examples/ipv4-mangle.nft @@ -0,0 +1,5 @@ +#!/usr/sbin/nft -f + +table mangle { + chain output { type route hook output priority -150; } +} diff --git a/files/examples/ipv4-nat.nft b/files/examples/ipv4-nat.nft new file mode 100755 index 0000000..fd3bb40 --- /dev/null +++ b/files/examples/ipv4-nat.nft @@ -0,0 +1,8 @@ +#!/usr/sbin/nft -f + +table nat { + chain prerouting { type nat hook prerouting priority -100; } + chain input { type nat hook input priority 100; } + chain output { type nat hook output priority -100; } + chain postrouting { type nat hook postrouting priority 100; } +} diff --git a/files/examples/ipv4-raw.nft b/files/examples/ipv4-raw.nft new file mode 100755 index 0000000..91fc138 --- /dev/null +++ b/files/examples/ipv4-raw.nft @@ -0,0 +1,6 @@ +#!/usr/sbin/nft -f + +table raw { + chain prerouting { type filter hook prerouting priority -300; } + chain output { type filter hook output priority -300; } +} diff --git a/files/examples/ipv6-filter.nft b/files/examples/ipv6-filter.nft new file mode 100755 index 0000000..21f06a3 --- /dev/null +++ b/files/examples/ipv6-filter.nft @@ -0,0 +1,7 @@ +#!/usr/sbin/nft -f + +table ip6 filter { + chain input { type filter hook input priority 0; } + chain forward { type filter hook forward priority 0; } + chain output { type filter hook output priority 0; } +} diff --git a/files/examples/ipv6-mangle.nft b/files/examples/ipv6-mangle.nft new file mode 100755 index 0000000..e92dbef --- /dev/null +++ b/files/examples/ipv6-mangle.nft @@ -0,0 +1,5 @@ +#!/usr/sbin/nft -f + +table ip6 mangle { + chain output { type route hook output priority -150; } +} diff --git a/files/examples/ipv6-nat.nft b/files/examples/ipv6-nat.nft new file mode 100755 index 0000000..7437c19 --- /dev/null +++ b/files/examples/ipv6-nat.nft @@ -0,0 +1,8 @@ +#!/usr/sbin/nft -f + +table ip6 nat { + chain prerouting { type nat hook prerouting priority -100; } + chain input { type nat hook input priority 100; } + chain output { type nat hook output priority -100; } + chain postrouting { type nat hook postrouting priority 100; } +} diff --git a/files/examples/ipv6-raw.nft b/files/examples/ipv6-raw.nft new file mode 100755 index 0000000..812703a --- /dev/null +++ b/files/examples/ipv6-raw.nft @@ -0,0 +1,6 @@ +#!/usr/sbin/nft -f + +table ip6 raw { + chain prerouting { type filter hook prerouting priority -300; } + chain output { type filter hook output priority -300; } +} diff --git a/files/examples/netdev-ingress.nft b/files/examples/netdev-ingress.nft new file mode 100755 index 0000000..2585d15 --- /dev/null +++ b/files/examples/netdev-ingress.nft @@ -0,0 +1,7 @@ +#!/usr/sbin/nft -f + +# mind the NIC, it must exists +table netdev filter { + chain loinput { type filter hook ingress device lo priority 0; } +} + diff --git a/files/examples/sets_and_maps b/files/examples/sets_and_maps deleted file mode 100755 index 58369a3..0000000 --- a/files/examples/sets_and_maps +++ /dev/null @@ -1,53 +0,0 @@ -#! /sbin/nft -nf -# -# Examples of set and map usage -# - -# symbolic anonymous set definition built from symbolic singleton definitions -define int_if1 = eth0 -define int_if2 = eth1 -define int_ifs = { $int_if1, $int_if2 } - -define ext_if1 = eth2 -define ext_if2 = eth3 -define ext_ifs = { $ext_if1, $ext_if2 } - -# recursive symbolic anonymous set definition -define local_ifs = { $int_ifs, $ext_ifs } - -# symbolic anonymous set definition -define tcp_ports = { ssh, domain, https, 123-125 } - -delete table filter -table filter { - # named set of type iface_index - set local_ifs { - type iface_index - } - - # named map of type iface_index : ipv4_addr - map nat_map { - type iface_index : ipv4_addr - } - - map jump_map { - type iface_index : verdict - } - - chain input_1 { counter; } - chain input_2 { counter; } - chain input { - type filter hook input priority 0 - - # symbolic anonymous sets - meta iif $local_ifs tcp dport $tcp_ports counter - - # literal anonymous set - meta iif { eth0, eth1 } counter - - meta iif @local_ifs counter - meta iif vmap @jump_map - - #meta iif vmap { eth0 : jump input1, eth1 : jump input2 } - } -} diff --git a/files/examples/sets_and_maps.nft b/files/examples/sets_and_maps.nft new file mode 100755 index 0000000..f5157b3 --- /dev/null +++ b/files/examples/sets_and_maps.nft @@ -0,0 +1,54 @@ +#!/usr/sbin/nft -f + +# This example file shows how to use sets and maps in the nftables framework. +# This script is meant to be loaded with `nft -f <file>` +# For up-to-date information please visit https://wiki.nftables.org + +# symbolic anonymous set definition built from symbolic singleton definitions +define int_if1 = eth0 +define int_if2 = eth1 +define int_ifs = { $int_if1, $int_if2 } + +define ext_if1 = eth2 +define ext_if2 = eth3 +define ext_ifs = { $ext_if1, $ext_if2 } + +# recursive symbolic anonymous set definition +define local_ifs = { $int_ifs, $ext_ifs } + +# symbolic anonymous set definition +define tcp_ports = { ssh, domain, https, 123-125 } + +delete table filter +table filter { + # named set of type iface_index + set local_ifs { + type iface_index + } + + # named map of type iface_index : ipv4_addr + map nat_map { + type iface_index : ipv4_addr + } + + map jump_map { + type iface_index : verdict + } + + chain input_1 { counter; } + chain input_2 { counter; } + chain input { + type filter hook input priority 0 + + # symbolic anonymous sets + meta iif $local_ifs tcp dport $tcp_ports counter + + # literal anonymous set + meta iif { eth0, eth1 } counter + + meta iif @local_ifs counter + meta iif vmap @jump_map + + #meta iif vmap { eth0 : jump input1, eth1 : jump input2 } + } +} diff --git a/files/nftables/Makefile.am b/files/nftables/Makefile.am deleted file mode 100644 index 77d5c2a..0000000 --- a/files/nftables/Makefile.am +++ /dev/null @@ -1,16 +0,0 @@ - -pkgsysconfdir = ${sysconfdir}/nftables -dist_pkgsysconf_DATA = arp-filter \ - bridge-filter \ - inet-filter \ - ipv4-filter \ - ipv4-mangle \ - ipv4-nat \ - ipv4-raw \ - ipv6-filter \ - ipv6-mangle \ - ipv6-nat \ - ipv6-raw - -install-data-hook: - ${SED} -i 's|@sbindir[@]|${sbindir}/|g' ${DESTDIR}${pkgsysconfdir}/* diff --git a/files/nftables/arp-filter b/files/nftables/arp-filter deleted file mode 100644 index bcabf28..0000000 --- a/files/nftables/arp-filter +++ /dev/null @@ -1,6 +0,0 @@ -#! @sbindir@nft -f - -table arp filter { - chain input { type filter hook input priority 0; } - chain output { type filter hook output priority 0; } -} diff --git a/files/nftables/bridge-filter b/files/nftables/bridge-filter deleted file mode 100644 index 2add455..0000000 --- a/files/nftables/bridge-filter +++ /dev/null @@ -1,7 +0,0 @@ -#! @sbindir@nft -f - -table bridge filter { - chain input { type filter hook input priority -200; } - chain forward { type filter hook forward priority -200; } - chain output { type filter hook output priority 200; } -} diff --git a/files/nftables/inet-filter b/files/nftables/inet-filter deleted file mode 100644 index f572db5..0000000 --- a/files/nftables/inet-filter +++ /dev/null @@ -1,7 +0,0 @@ -#! @sbindir@nft -f - -table inet filter { - chain input { type filter hook input priority 0; } - chain forward { type filter hook forward priority 0; } - chain output { type filter hook output priority 0; } -} diff --git a/files/nftables/ipv4-filter b/files/nftables/ipv4-filter deleted file mode 100644 index a4ca7f2..0000000 --- a/files/nftables/ipv4-filter +++ /dev/null @@ -1,7 +0,0 @@ -#! @sbindir@nft -f - -table filter { - chain input { type filter hook input priority 0; } - chain forward { type filter hook forward priority 0; } - chain output { type filter hook output priority 0; } -} diff --git a/files/nftables/ipv4-mangle b/files/nftables/ipv4-mangle deleted file mode 100644 index be564a5..0000000 --- a/files/nftables/ipv4-mangle +++ /dev/null @@ -1,5 +0,0 @@ -#! @sbindir@nft -f - -table mangle { - chain output { type route hook output priority -150; } -} diff --git a/files/nftables/ipv4-nat b/files/nftables/ipv4-nat deleted file mode 100644 index 130a729..0000000 --- a/files/nftables/ipv4-nat +++ /dev/null @@ -1,8 +0,0 @@ -#! @sbindir@nft -f - -table nat { - chain prerouting { type nat hook prerouting priority -100; } - chain input { type nat hook input priority 100; } - chain output { type nat hook output priority -100; } - chain postrouting { type nat hook postrouting priority 100; } -} diff --git a/files/nftables/ipv4-raw b/files/nftables/ipv4-raw deleted file mode 100644 index 19773ee..0000000 --- a/files/nftables/ipv4-raw +++ /dev/null @@ -1,6 +0,0 @@ -#! @sbindir@nft -f - -table raw { - chain prerouting { type filter hook prerouting priority -300; } - chain output { type filter hook output priority -300; } -} diff --git a/files/nftables/ipv6-filter b/files/nftables/ipv6-filter deleted file mode 100644 index ce4d7de..0000000 --- a/files/nftables/ipv6-filter +++ /dev/null @@ -1,7 +0,0 @@ -#! @sbindir@nft -f - -table ip6 filter { - chain input { type filter hook input priority 0; } - chain forward { type filter hook forward priority 0; } - chain output { type filter hook output priority 0; } -} diff --git a/files/nftables/ipv6-mangle b/files/nftables/ipv6-mangle deleted file mode 100644 index fa32402..0000000 --- a/files/nftables/ipv6-mangle +++ /dev/null @@ -1,5 +0,0 @@ -#! @sbindir@nft -f - -table ip6 mangle { - chain output { type route hook output priority -150; } -} diff --git a/files/nftables/ipv6-nat b/files/nftables/ipv6-nat deleted file mode 100644 index e781686..0000000 --- a/files/nftables/ipv6-nat +++ /dev/null @@ -1,8 +0,0 @@ -#! @sbindir@nft -f - -table ip6 nat { - chain prerouting { type nat hook prerouting priority -100; } - chain input { type nat hook input priority 100; } - chain output { type nat hook output priority -100; } - chain postrouting { type nat hook postrouting priority 100; } -} diff --git a/files/nftables/ipv6-raw b/files/nftables/ipv6-raw deleted file mode 100644 index 5ee56a8..0000000 --- a/files/nftables/ipv6-raw +++ /dev/null @@ -1,6 +0,0 @@ -#! @sbindir@nft -f - -table ip6 raw { - chain prerouting { type filter hook prerouting priority -300; } - chain output { type filter hook output priority -300; } -}
Concatenate all family/hook examples into a single one by means of includes. Put all example files under examples/. Use the '.nft' prefix and mark them as executable files. Use a static shebang declaration, since these are examples meant for final systems and users. While at it, refresh also the sets_and_maps.nft example file and also add the 'netdev-ingress.nft' example file. Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> --- v2: address comments by Florian & Pablo. Fix some typos Makefile.am | 6 ++-- configure.ac | 2 - files/Makefile.am | 1 - files/examples/arp-filter.nft | 6 ++++ files/examples/bridge-filter.nft | 7 ++++ files/examples/families_and_hooks.nft | 32 ++++++++++++++++++++ files/examples/inet-filter.nft | 7 ++++ files/examples/ipv4-filter.nft | 7 ++++ files/examples/ipv4-mangle.nft | 5 +++ files/examples/ipv4-nat.nft | 8 +++++ files/examples/ipv4-raw.nft | 6 ++++ files/examples/ipv6-filter.nft | 7 ++++ files/examples/ipv6-mangle.nft | 5 +++ files/examples/ipv6-nat.nft | 8 +++++ files/examples/ipv6-raw.nft | 6 ++++ files/examples/netdev-ingress.nft | 7 ++++ files/examples/sets_and_maps | 53 -------------------------------- files/examples/sets_and_maps.nft | 54 +++++++++++++++++++++++++++++++++ files/nftables/Makefile.am | 16 ---------- files/nftables/arp-filter | 6 ---- files/nftables/bridge-filter | 7 ---- files/nftables/inet-filter | 7 ---- files/nftables/ipv4-filter | 7 ---- files/nftables/ipv4-mangle | 5 --- files/nftables/ipv4-nat | 8 ----- files/nftables/ipv4-raw | 6 ---- files/nftables/ipv6-filter | 7 ---- files/nftables/ipv6-mangle | 5 --- files/nftables/ipv6-nat | 8 ----- files/nftables/ipv6-raw | 6 ---- 30 files changed, 168 insertions(+), 147 deletions(-) delete mode 100644 files/Makefile.am create mode 100755 files/examples/arp-filter.nft create mode 100755 files/examples/bridge-filter.nft create mode 100755 files/examples/families_and_hooks.nft create mode 100755 files/examples/inet-filter.nft create mode 100755 files/examples/ipv4-filter.nft create mode 100755 files/examples/ipv4-mangle.nft create mode 100755 files/examples/ipv4-nat.nft create mode 100755 files/examples/ipv4-raw.nft create mode 100755 files/examples/ipv6-filter.nft create mode 100755 files/examples/ipv6-mangle.nft create mode 100755 files/examples/ipv6-nat.nft create mode 100755 files/examples/ipv6-raw.nft create mode 100755 files/examples/netdev-ingress.nft delete mode 100755 files/examples/sets_and_maps create mode 100755 files/examples/sets_and_maps.nft delete mode 100644 files/nftables/Makefile.am delete mode 100644 files/nftables/arp-filter delete mode 100644 files/nftables/bridge-filter delete mode 100644 files/nftables/inet-filter delete mode 100644 files/nftables/ipv4-filter delete mode 100644 files/nftables/ipv4-mangle delete mode 100644 files/nftables/ipv4-nat delete mode 100644 files/nftables/ipv4-raw delete mode 100644 files/nftables/ipv6-filter delete mode 100644 files/nftables/ipv6-mangle delete mode 100644 files/nftables/ipv6-nat delete mode 100644 files/nftables/ipv6-raw -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@vger.kernel.org More majordomo info at http://vger.kernel.org/majordomo-info.html