Add nnd-nft nftables base
This commit is contained in:
parent
68c0b5a035
commit
eb62a3f4c8
|
@ -0,0 +1,15 @@
|
||||||
|
pkgname="${startdir##*/}" # Usually the package name is the same as the directory
|
||||||
|
pkgver="$(date +'%Y.%m.%d')" # Use current date as fallback
|
||||||
|
url="https://git.redxen.eu/nnd" # Upstream for package info
|
||||||
|
arch="noarch" # Most things aren't arch specific
|
||||||
|
license="none" # Can you even license configs?
|
||||||
|
options="!check" # Usually software doesn't provide tests
|
||||||
|
builddir="$srcdir" #
|
||||||
|
|
||||||
|
_replace() {
|
||||||
|
sed -i -- "s/$1/$(printf "%s" "$2" | sed 's/[&/\]/\\&/g')/g" "$3"
|
||||||
|
}
|
||||||
|
|
||||||
|
_cpkgdir() {
|
||||||
|
echo "${subpkgdir:-${pkgdir}}"
|
||||||
|
}
|
|
@ -0,0 +1,24 @@
|
||||||
|
# Contributor: Alex Denes <caskd@redxen.eu>
|
||||||
|
# Maintainer: Alex Denes <caskd@redxen.eu>
|
||||||
|
|
||||||
|
. ../../APKBUILD.template
|
||||||
|
|
||||||
|
pkgrel=0
|
||||||
|
pkgdesc="Basic generic nftables template"
|
||||||
|
options="!check" # check requires root?
|
||||||
|
|
||||||
|
check() {
|
||||||
|
msg "Checking if commands are valid"
|
||||||
|
nft -c -I "$builddir/nft" -f "$builddir"/nft/loadall
|
||||||
|
}
|
||||||
|
|
||||||
|
prepare() {
|
||||||
|
default_prepare
|
||||||
|
|
||||||
|
cp -r "$startdir"/nft "$builddir"/nft # abuild doesn't support hierarchical includes yet, no hashes will be computed
|
||||||
|
}
|
||||||
|
|
||||||
|
package() {
|
||||||
|
mkdir -p "$pkgdir"/etc/nnd
|
||||||
|
cp -r "$builddir"/nft "$pkgdir"/etc/nnd/nftables
|
||||||
|
}
|
|
@ -0,0 +1,43 @@
|
||||||
|
table inet nnd-base {
|
||||||
|
chain rxfilter {
|
||||||
|
type filter hook input priority 0;
|
||||||
|
policy reject;
|
||||||
|
|
||||||
|
ct state invalid counter drop;
|
||||||
|
icmpx counter accept;
|
||||||
|
|
||||||
|
include "inet/nnd-base/filter/input/*";
|
||||||
|
counter reject with icmpx type admin-prohibited;
|
||||||
|
}
|
||||||
|
chain fwfilter {
|
||||||
|
type filter hook forward priority 0;
|
||||||
|
policy reject;
|
||||||
|
include "inet/nnd-base/filter/forward/*";
|
||||||
|
counter reject with icmpx type no-route;
|
||||||
|
}
|
||||||
|
chain txfilter {
|
||||||
|
type filter hook output priority 0;
|
||||||
|
policy accept;
|
||||||
|
include "inet/nnd-base/filter/output/*";
|
||||||
|
}
|
||||||
|
chain prenat {
|
||||||
|
type nat hook prerouting priority -100;
|
||||||
|
policy accept;
|
||||||
|
include "inet/nnd-base/nat/prerouting/*";
|
||||||
|
}
|
||||||
|
chain rxnat {
|
||||||
|
type nat hook input priority 100;
|
||||||
|
policy accept;
|
||||||
|
include "inet/nnd-base/nat/input/*";
|
||||||
|
}
|
||||||
|
chain txnat {
|
||||||
|
type nat hook output priority -100;
|
||||||
|
policy accept;
|
||||||
|
include "inet/nnd-base/nat/output/*";
|
||||||
|
}
|
||||||
|
chain postnat {
|
||||||
|
type nat hook postrouting priority 100;
|
||||||
|
policy accept;
|
||||||
|
include "inet/nnd-base/nat/postrouting/*";
|
||||||
|
}
|
||||||
|
}
|
|
@ -0,0 +1,5 @@
|
||||||
|
#!/usr/sbin/nft -f
|
||||||
|
|
||||||
|
flush ruleset;
|
||||||
|
|
||||||
|
include "*/*/table";
|
Loading…
Reference in New Issue