Add base set of nftables rules

2022-11-01 13:23:37 +00:00 · 2022-11-01 13:23:37 +00:00 · c438930075
parent eb62a3f4c8
commit c438930075
27 changed files with 42 additions and 6 deletions
--- a/main/nnd-nft/APKBUILD
+++ b/main/nnd-nft/APKBUILD
@ -3,9 +3,14 @@

 . ../../APKBUILD.template

-pkgrel=0
+pkgrel=3
 pkgdesc="Basic generic nftables template"
 options="!check" # check requires root?
+subpackages=""
+
+for i in "$startdir"/nft/inet/nnd-base/*/*/*/*; do
+	subpackages="$subpackages $pkgname-$(echo "${i##*/nft/inet/nnd-base/}" | sed 's/\//-/g'):_mod"
+done

 check() {
 	msg "Checking if commands are valid"
@ -22,3 +27,8 @@ package() {
 	mkdir -p "$pkgdir"/etc/nnd
 	cp -r "$builddir"/nft "$pkgdir"/etc/nnd/nftables
 }
+
+_mod() {
+	local _modname="${subpkgname##$pkgname-}"
+	amove etc/nnd/nftables/inet/nnd-base/"$(echo $_modname | sed 's/-/\//g')"
+}
--- a/main/nnd-nft/nft/inet/nnd-base/filter/input/all
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/all
@ -0,0 +1,5 @@
+include "inet/nnd-base/filter/input/ct/*";
+include "inet/nnd-base/filter/input/icmp/*";
+include "inet/nnd-base/filter/input/iface/*";
+include "inet/nnd-base/filter/input/udp/*";
+include "inet/nnd-base/filter/input/tcp/*";
--- a/main/nnd-nft/nft/inet/nnd-base/filter/input/ct/established
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/ct/established
@ -0,0 +1 @@
+ct state established accept;
--- a/main/nnd-nft/nft/inet/nnd-base/filter/input/ct/invalid
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/ct/invalid
@ -0,0 +1 @@
+ct state invalid counter drop;
--- a/main/nnd-nft/nft/inet/nnd-base/filter/input/ct/related
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/ct/related
@ -0,0 +1 @@
+ct state related accept;
--- a/main/nnd-nft/nft/inet/nnd-base/filter/input/icmp/v4
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/icmp/v4
@ -0,0 +1 @@
+ip protocol icmp counter accept;
--- a/main/nnd-nft/nft/inet/nnd-base/filter/input/icmp/v6
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/icmp/v6
@ -0,0 +1 @@
+ip6 nexthdr icmpv6 counter accept;
--- a/main/nnd-nft/nft/inet/nnd-base/filter/input/iface/lo
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/iface/lo
@ -0,0 +1 @@
+iifname lo accept;
--- a/main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/10809
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/10809
@ -0,0 +1 @@
+tcp dport 10809 counter accept;
--- a/main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/143
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/143
@ -0,0 +1 @@
+tcp dport 143 counter accept;
--- a/main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/22
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/22
@ -0,0 +1 @@
+tcp dport 22 counter accept;
--- a/main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/25
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/25
@ -0,0 +1 @@
+tcp dport 25 counter accept;
--- a/main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/443
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/443
@ -0,0 +1 @@
+tcp dport 443 counter accept;
--- a/main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/465
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/465
@ -0,0 +1 @@
+tcp dport 465 counter accept;
--- a/main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/51413
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/51413
@ -0,0 +1 @@
+tcp dport 51413 counter accept;
--- a/main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/53
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/53
@ -0,0 +1 @@
+tcp dport 53 counter accept;
--- a/main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/587
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/587
@ -0,0 +1 @@
+tcp dport 587 counter accept;
--- a/main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/64738
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/64738
@ -0,0 +1 @@
+tcp dport 64738 counter accept;
--- a/main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/7777
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/7777
@ -0,0 +1 @@
+tcp dport 7777 counter accept;
--- a/main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/80
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/80
@ -0,0 +1 @@
+tcp dport 80 counter accept;
--- a/main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/993
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/993
@ -0,0 +1 @@
+tcp dport 993 counter accept;
--- a/main/nnd-nft/nft/inet/nnd-base/filter/input/udp/26000
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/udp/26000
@ -0,0 +1 @@
+tcp dport 26000 counter accept;
--- a/main/nnd-nft/nft/inet/nnd-base/filter/input/udp/51413
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/udp/51413
@ -0,0 +1 @@
+tcp dport 51413 counter accept;
--- a/main/nnd-nft/nft/inet/nnd-base/filter/input/udp/51820
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/udp/51820
@ -0,0 +1 @@
+tcp dport 51820 counter accept;
--- a/main/nnd-nft/nft/inet/nnd-base/filter/input/udp/53
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/udp/53
@ -0,0 +1 @@
+tcp dport 53 counter accept;
--- a/main/nnd-nft/nft/inet/nnd-base/filter/input/udp/64783
+++ b/main/nnd-nft/nft/inet/nnd-base/filter/input/udp/64783
@ -0,0 +1 @@
+tcp dport 64783 counter accept;
--- a/main/nnd-nft/nft/inet/nnd-base/table
+++ b/main/nnd-nft/nft/inet/nnd-base/table
@ -1,17 +1,14 @@
 table inet nnd-base {
 	chain rxfilter {
 		type filter hook input priority 0;
-		policy reject;
-
-		ct state invalid counter drop;
-		icmpx            counter accept;
+		policy drop;

 		include "inet/nnd-base/filter/input/*";
 		counter reject with icmpx type admin-prohibited;
 	}
 	chain fwfilter {
 		type filter hook forward priority 0;
-		policy reject;
+		policy drop;
 		include "inet/nnd-base/filter/forward/*";
 		counter reject with icmpx type no-route;
 	}