@@ -2,6 +2,7 @@ ACLOCAL_AMFLAGS = -I m4
SUBDIRS = src \
include \
+ files \
doc
EXTRA_DIST = tests \
@@ -119,6 +119,8 @@ AC_CONFIG_FILES([ \
include/linux/netfilter_bridge/Makefile \
include/linux/netfilter_ipv4/Makefile \
include/linux/netfilter_ipv6/Makefile \
+ files/Makefile \
+ files/nftables/Makefile \
doc/Makefile \
])
AC_OUTPUT
new file mode 100644
@@ -0,0 +1 @@
+SUBDIRS = nftables
new file mode 100644
@@ -0,0 +1,16 @@
+pkgsysconfdir = ${sysconfdir}/nftables
+dist_pkgsysconf_DATA = all-in-one.nft \
+ arp-filter.nft \
+ bridge-filter.nft \
+ inet-filter.nft \
+ ipv4-filter.nft \
+ ipv4-mangle.nft \
+ ipv4-nat.nft \
+ ipv4-raw.nft \
+ ipv6-filter.nft \
+ ipv6-mangle.nft \
+ ipv6-nat.nft \
+ ipv6-raw.nft
+
+install-data-hook:
+ ${SED} -i 's|@sbindir[@]|${sbindir}/|g' ${DESTDIR}${pkgsysconfdir}/*
similarity index 88%
rename from files/examples/families_and_hooks.nft
rename to files/nftables/all-in-one.nft
@@ -1,10 +1,14 @@
-#!/usr/sbin/nft -f
+#!@sbindir@nft -f
# Here is an example of different families, hooks and priorities in the
# nftables framework, all mixed together.
-# This script is mean to be loaded with `nft -f <file>`
+#
+# more examples are located in files/examples in nftables source.
# For up-to-date information please visit https://wiki.nftables.org
+#
+# This script is mean to be loaded with `nft -f <file>`
+# clear all prior state
flush ruleset
# native dual stack IPv4 & IPv6 family
similarity index 87%
rename from files/examples/arp-filter.nft
rename to files/nftables/arp-filter.nft
@@ -1,4 +1,4 @@
-#!/usr/sbin/nft -f
+#!@sbindir@nft -f
table arp filter {
chain input { type filter hook input priority 0; }
similarity index 91%
rename from files/examples/bridge-filter.nft
rename to files/nftables/bridge-filter.nft
@@ -1,4 +1,4 @@
-#!/usr/sbin/nft -f
+#!@sbindir@nft -f
table bridge filter {
chain input { type filter hook input priority -200; }
similarity index 90%
rename from files/examples/inet-filter.nft
rename to files/nftables/inet-filter.nft
@@ -1,4 +1,4 @@
-#!/usr/sbin/nft -f
+#!@sbindir@nft -f
table inet filter {
chain input { type filter hook input priority 0; }
similarity index 90%
rename from files/examples/ipv4-filter.nft
rename to files/nftables/ipv4-filter.nft
@@ -1,4 +1,4 @@
-#!/usr/sbin/nft -f
+#!@sbindir@nft -f
table filter {
chain input { type filter hook input priority 0; }
similarity index 79%
rename from files/examples/ipv4-mangle.nft
rename to files/nftables/ipv4-mangle.nft
@@ -1,4 +1,4 @@
-#!/usr/sbin/nft -f
+#!@sbindir@nft -f
table mangle {
chain output { type route hook output priority -150; }
similarity index 92%
rename from files/examples/ipv4-nat.nft
rename to files/nftables/ipv4-nat.nft
@@ -1,4 +1,4 @@
-#!/usr/sbin/nft -f
+#!@sbindir@nft -f
table nat {
chain prerouting { type nat hook prerouting priority -100; }
similarity index 87%
rename from files/examples/ipv4-raw.nft
rename to files/nftables/ipv4-raw.nft
@@ -1,4 +1,4 @@
-#!/usr/sbin/nft -f
+#!@sbindir@nft -f
table raw {
chain prerouting { type filter hook prerouting priority -300; }
similarity index 90%
rename from files/examples/ipv6-filter.nft
rename to files/nftables/ipv6-filter.nft
@@ -1,4 +1,4 @@
-#!/usr/sbin/nft -f
+#!@sbindir@nft -f
table ip6 filter {
chain input { type filter hook input priority 0; }
similarity index 80%
rename from files/examples/ipv6-mangle.nft
rename to files/nftables/ipv6-mangle.nft
@@ -1,4 +1,4 @@
-#!/usr/sbin/nft -f
+#!@sbindir@nft -f
table ip6 mangle {
chain output { type route hook output priority -150; }
similarity index 93%
rename from files/examples/ipv6-nat.nft
rename to files/nftables/ipv6-nat.nft
@@ -1,4 +1,4 @@
-#!/usr/sbin/nft -f
+#!@sbindir@nft -f
table ip6 nat {
chain prerouting { type nat hook prerouting priority -100; }
similarity index 88%
rename from files/examples/ipv6-raw.nft
rename to files/nftables/ipv6-raw.nft
@@ -1,4 +1,4 @@
-#!/usr/sbin/nft -f
+#!@sbindir@nft -f
table ip6 raw {
chain prerouting { type filter hook prerouting priority -300; }
nftables releases until 0.8.2 included base skeleton hooks that were installed into /etc/nftables (sysconfdir). With 0.8.3 and newer these files were moved to the documentation area but apparently some users expect them to be there. Resurrect them. Signed-off-by: Florian Westphal <fw@strlen.de> --- Arturo, I know you don't like it but several users complained about this. I've kept the 'nft' extension in place and renamed families_and_hooks to all-in-one. Only the skeletons are restored, examples rulesets remain where they are. Makefile.am | 1 + configure.ac | 2 ++ files/Makefile.am | 1 + files/nftables/Makefile.am | 16 ++++++++++++++++ .../families_and_hooks.nft => nftables/all-in-one.nft} | 8 ++++++-- files/{examples => nftables}/arp-filter.nft | 2 +- files/{examples => nftables}/bridge-filter.nft | 2 +- files/{examples => nftables}/inet-filter.nft | 2 +- files/{examples => nftables}/ipv4-filter.nft | 2 +- files/{examples => nftables}/ipv4-mangle.nft | 2 +- files/{examples => nftables}/ipv4-nat.nft | 2 +- files/{examples => nftables}/ipv4-raw.nft | 2 +- files/{examples => nftables}/ipv6-filter.nft | 2 +- files/{examples => nftables}/ipv6-mangle.nft | 2 +- files/{examples => nftables}/ipv6-nat.nft | 2 +- files/{examples => nftables}/ipv6-raw.nft | 2 +- 16 files changed, 37 insertions(+), 13 deletions(-) create mode 100644 files/Makefile.am create mode 100644 files/nftables/Makefile.am rename files/{examples/families_and_hooks.nft => nftables/all-in-one.nft} (88%) rename files/{examples => nftables}/arp-filter.nft (87%) rename files/{examples => nftables}/bridge-filter.nft (91%) rename files/{examples => nftables}/inet-filter.nft (90%) rename files/{examples => nftables}/ipv4-filter.nft (90%) rename files/{examples => nftables}/ipv4-mangle.nft (79%) rename files/{examples => nftables}/ipv4-nat.nft (92%) rename files/{examples => nftables}/ipv4-raw.nft (87%) rename files/{examples => nftables}/ipv6-filter.nft (90%) rename files/{examples => nftables}/ipv6-mangle.nft (80%) rename files/{examples => nftables}/ipv6-nat.nft (93%) rename files/{examples => nftables}/ipv6-raw.nft (88%)