From eb62a3f4c83201188df9d729a86e6b5cd1f4274e Mon Sep 17 00:00:00 2001
From: Alex Denes <caskd@redxen.eu>
Date: Fri, 28 Oct 2022 08:52:58 +0000
Subject: [PATCH] Add nnd-nft nftables base

---
 APKBUILD.template                    | 15 ++++++++++
 main/nnd-nft/APKBUILD                | 24 ++++++++++++++++
 main/nnd-nft/nft/inet/nnd-base/table | 43 ++++++++++++++++++++++++++++
 main/nnd-nft/nft/loadall             |  5 ++++
 4 files changed, 87 insertions(+)
 create mode 100644 APKBUILD.template
 create mode 100644 main/nnd-nft/APKBUILD
 create mode 100644 main/nnd-nft/nft/inet/nnd-base/table
 create mode 100644 main/nnd-nft/nft/loadall

diff --git a/APKBUILD.template b/APKBUILD.template
new file mode 100644
index 0000000..7434a9c
--- /dev/null
+++ b/APKBUILD.template
@@ -0,0 +1,15 @@
+pkgname="${startdir##*/}"                   # Usually the package name is the same as the directory
+pkgver="$(date +'%Y.%m.%d')"                # Use current date as fallback
+url="https://git.redxen.eu/nnd"             # Upstream for package info
+arch="noarch"                               # Most things aren't arch specific
+license="none"                              # Can you even license configs?
+options="!check"                            # Usually software doesn't provide tests
+builddir="$srcdir"                          #
+
+_replace() {
+	sed -i -- "s/$1/$(printf "%s" "$2" | sed 's/[&/\]/\\&/g')/g" "$3"
+}
+
+_cpkgdir() {
+	echo "${subpkgdir:-${pkgdir}}"
+}
diff --git a/main/nnd-nft/APKBUILD b/main/nnd-nft/APKBUILD
new file mode 100644
index 0000000..33a28d3
--- /dev/null
+++ b/main/nnd-nft/APKBUILD
@@ -0,0 +1,24 @@
+# Contributor: Alex Denes <caskd@redxen.eu>
+# Maintainer: Alex Denes <caskd@redxen.eu>
+
+. ../../APKBUILD.template
+
+pkgrel=0
+pkgdesc="Basic generic nftables template"
+options="!check" # check requires root?
+
+check() {
+	msg "Checking if commands are valid"
+	nft -c -I "$builddir/nft" -f "$builddir"/nft/loadall
+}
+
+prepare() {
+	default_prepare
+
+	cp -r "$startdir"/nft "$builddir"/nft # abuild doesn't support hierarchical includes yet, no hashes will be computed
+}
+
+package() {
+	mkdir -p "$pkgdir"/etc/nnd
+	cp -r "$builddir"/nft "$pkgdir"/etc/nnd/nftables
+}
diff --git a/main/nnd-nft/nft/inet/nnd-base/table b/main/nnd-nft/nft/inet/nnd-base/table
new file mode 100644
index 0000000..bfa4c79
--- /dev/null
+++ b/main/nnd-nft/nft/inet/nnd-base/table
@@ -0,0 +1,43 @@
+table inet nnd-base {
+	chain rxfilter {
+		type filter hook input priority 0;
+		policy reject;
+
+		ct state invalid counter drop;
+		icmpx            counter accept;
+
+		include "inet/nnd-base/filter/input/*";
+		counter reject with icmpx type admin-prohibited;
+	}
+	chain fwfilter {
+		type filter hook forward priority 0;
+		policy reject;
+		include "inet/nnd-base/filter/forward/*";
+		counter reject with icmpx type no-route;
+	}
+	chain txfilter {
+		type filter hook output priority 0;
+		policy accept;
+		include "inet/nnd-base/filter/output/*";
+	}
+	chain prenat {
+		type nat hook prerouting priority -100;
+		policy accept;
+		include "inet/nnd-base/nat/prerouting/*";
+	}
+	chain rxnat {
+		type nat hook input priority 100;
+		policy accept;
+		include "inet/nnd-base/nat/input/*";
+	}
+	chain txnat {
+		type nat hook output priority -100;
+		policy accept;
+		include "inet/nnd-base/nat/output/*";
+	}
+	chain postnat {
+		type nat hook postrouting priority 100;
+		policy accept;
+		include "inet/nnd-base/nat/postrouting/*";
+	}
+}
diff --git a/main/nnd-nft/nft/loadall b/main/nnd-nft/nft/loadall
new file mode 100644
index 0000000..d9a7bbc
--- /dev/null
+++ b/main/nnd-nft/nft/loadall
@@ -0,0 +1,5 @@
+#!/usr/sbin/nft -f
+
+flush ruleset;
+
+include "*/*/table";