Add nnd-nft nftables base

2022-10-28 08:52:58 +00:00 · 2022-10-28 08:52:58 +00:00 · eb62a3f4c8
commit eb62a3f4c8
parent 68c0b5a035
4 changed files with 87 additions and 0 deletions
--- a/APKBUILD.template
+++ b/APKBUILD.template
@ -0,0 +1,15 @@
+pkgname="${startdir##*/}"                   # Usually the package name is the same as the directory
+pkgver="$(date +'%Y.%m.%d')"                # Use current date as fallback
+url="https://git.redxen.eu/nnd"             # Upstream for package info
+arch="noarch"                               # Most things aren't arch specific
+license="none"                              # Can you even license configs?
+options="!check"                            # Usually software doesn't provide tests
+builddir="$srcdir"                          #
+
+_replace() {
+	sed -i -- "s/$1/$(printf "%s" "$2" | sed 's/[&/\]/\\&/g')/g" "$3"
+}
+
+_cpkgdir() {
+	echo "${subpkgdir:-${pkgdir}}"
+}
--- a/main/nnd-nft/APKBUILD
+++ b/main/nnd-nft/APKBUILD
@ -0,0 +1,24 @@
+# Contributor: Alex Denes <caskd@redxen.eu>
+# Maintainer: Alex Denes <caskd@redxen.eu>
+
+. ../../APKBUILD.template
+
+pkgrel=0
+pkgdesc="Basic generic nftables template"
+options="!check" # check requires root?
+
+check() {
+	msg "Checking if commands are valid"
+	nft -c -I "$builddir/nft" -f "$builddir"/nft/loadall
+}
+
+prepare() {
+	default_prepare
+
+	cp -r "$startdir"/nft "$builddir"/nft # abuild doesn't support hierarchical includes yet, no hashes will be computed
+}
+
+package() {
+	mkdir -p "$pkgdir"/etc/nnd
+	cp -r "$builddir"/nft "$pkgdir"/etc/nnd/nftables
+}
--- a/main/nnd-nft/nft/inet/nnd-base/table
+++ b/main/nnd-nft/nft/inet/nnd-base/table
@ -0,0 +1,43 @@
+table inet nnd-base {
+	chain rxfilter {
+		type filter hook input priority 0;
+		policy reject;
+
+		ct state invalid counter drop;
+		icmpx            counter accept;
+
+		include "inet/nnd-base/filter/input/*";
+		counter reject with icmpx type admin-prohibited;
+	}
+	chain fwfilter {
+		type filter hook forward priority 0;
+		policy reject;
+		include "inet/nnd-base/filter/forward/*";
+		counter reject with icmpx type no-route;
+	}
+	chain txfilter {
+		type filter hook output priority 0;
+		policy accept;
+		include "inet/nnd-base/filter/output/*";
+	}
+	chain prenat {
+		type nat hook prerouting priority -100;
+		policy accept;
+		include "inet/nnd-base/nat/prerouting/*";
+	}
+	chain rxnat {
+		type nat hook input priority 100;
+		policy accept;
+		include "inet/nnd-base/nat/input/*";
+	}
+	chain txnat {
+		type nat hook output priority -100;
+		policy accept;
+		include "inet/nnd-base/nat/output/*";
+	}
+	chain postnat {
+		type nat hook postrouting priority 100;
+		policy accept;
+		include "inet/nnd-base/nat/postrouting/*";
+	}
+}
--- a/main/nnd-nft/nft/loadall
+++ b/main/nnd-nft/nft/loadall
@ -0,0 +1,5 @@
+#!/usr/sbin/nft -f
+
+flush ruleset;
+
+include "*/*/table";