Add nnd-nft nftables base

This commit is contained in:
Alex D. 2022-10-28 08:52:58 +00:00
parent 68c0b5a035
commit eb62a3f4c8
Signed by: caskd
GPG Key ID: F92BA85F61F4C173
4 changed files with 87 additions and 0 deletions

15
APKBUILD.template Normal file
View File

@ -0,0 +1,15 @@
pkgname="${startdir##*/}" # Usually the package name is the same as the directory
pkgver="$(date +'%Y.%m.%d')" # Use current date as fallback
url="https://git.redxen.eu/nnd" # Upstream for package info
arch="noarch" # Most things aren't arch specific
license="none" # Can you even license configs?
options="!check" # Usually software doesn't provide tests
builddir="$srcdir" #
_replace() {
sed -i -- "s/$1/$(printf "%s" "$2" | sed 's/[&/\]/\\&/g')/g" "$3"
}
_cpkgdir() {
echo "${subpkgdir:-${pkgdir}}"
}

24
main/nnd-nft/APKBUILD Normal file
View File

@ -0,0 +1,24 @@
# Contributor: Alex Denes <caskd@redxen.eu>
# Maintainer: Alex Denes <caskd@redxen.eu>
. ../../APKBUILD.template
pkgrel=0
pkgdesc="Basic generic nftables template"
options="!check" # check requires root?
check() {
msg "Checking if commands are valid"
nft -c -I "$builddir/nft" -f "$builddir"/nft/loadall
}
prepare() {
default_prepare
cp -r "$startdir"/nft "$builddir"/nft # abuild doesn't support hierarchical includes yet, no hashes will be computed
}
package() {
mkdir -p "$pkgdir"/etc/nnd
cp -r "$builddir"/nft "$pkgdir"/etc/nnd/nftables
}

View File

@ -0,0 +1,43 @@
table inet nnd-base {
chain rxfilter {
type filter hook input priority 0;
policy reject;
ct state invalid counter drop;
icmpx counter accept;
include "inet/nnd-base/filter/input/*";
counter reject with icmpx type admin-prohibited;
}
chain fwfilter {
type filter hook forward priority 0;
policy reject;
include "inet/nnd-base/filter/forward/*";
counter reject with icmpx type no-route;
}
chain txfilter {
type filter hook output priority 0;
policy accept;
include "inet/nnd-base/filter/output/*";
}
chain prenat {
type nat hook prerouting priority -100;
policy accept;
include "inet/nnd-base/nat/prerouting/*";
}
chain rxnat {
type nat hook input priority 100;
policy accept;
include "inet/nnd-base/nat/input/*";
}
chain txnat {
type nat hook output priority -100;
policy accept;
include "inet/nnd-base/nat/output/*";
}
chain postnat {
type nat hook postrouting priority 100;
policy accept;
include "inet/nnd-base/nat/postrouting/*";
}
}

5
main/nnd-nft/nft/loadall Normal file
View File

@ -0,0 +1,5 @@
#!/usr/sbin/nft -f
flush ruleset;
include "*/*/table";