nftables and placeholders

- check for dummy files too
- nftables ruledir and rulefile customizable via envdir

main/nnd-nft/APKBUILD

@@ -3,9 +3,14 @@
 
 . ../../APKBUILD.template
 
-pkgrel=0
+pkgrel=3
 pkgdesc="Basic generic nftables template"
 options="!check" # check requires root?
+subpackages=""
+
+for i in "$startdir"/nft/inet/nnd-base/*/*/*/*; do
+	subpackages="$subpackages $pkgname-$(echo "${i##*/nft/inet/nnd-base/}" | sed 's/\//-/g'):_mod"
+done
 
 check() {
 	msg "Checking if commands are valid"
@@ -22,3 +27,8 @@ package() {
 	mkdir -p "$pkgdir"/etc/nnd
 	cp -r "$builddir"/nft "$pkgdir"/etc/nnd/nftables
 }
+
+_mod() {
+	local _modname="${subpkgname##$pkgname-}"
+	amove etc/nnd/nftables/inet/nnd-base/"$(echo $_modname | sed 's/-/\//g')"
+}

main/nnd-nft/nft/inet/nnd-base/filter/input/all

@@ -0,0 +1,5 @@
+include "inet/nnd-base/filter/input/ct/*";
+include "inet/nnd-base/filter/input/icmp/*";
+include "inet/nnd-base/filter/input/iface/*";
+include "inet/nnd-base/filter/input/udp/*";
+include "inet/nnd-base/filter/input/tcp/*";

main/nnd-nft/nft/inet/nnd-base/filter/input/ct/established

@@ -0,0 +1 @@
+ct state established accept;

main/nnd-nft/nft/inet/nnd-base/filter/input/ct/invalid

@@ -0,0 +1 @@
+ct state invalid counter drop;

main/nnd-nft/nft/inet/nnd-base/filter/input/ct/related

@@ -0,0 +1 @@
+ct state related accept;

main/nnd-nft/nft/inet/nnd-base/filter/input/icmp/v4

@@ -0,0 +1 @@
+ip protocol icmp counter accept;

main/nnd-nft/nft/inet/nnd-base/filter/input/icmp/v6

@@ -0,0 +1 @@
+ip6 nexthdr icmpv6 counter accept;

main/nnd-nft/nft/inet/nnd-base/filter/input/iface/lo

@@ -0,0 +1 @@
+iifname lo accept;

main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/10809

@@ -0,0 +1 @@
+tcp dport 10809 counter accept;

main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/143

@@ -0,0 +1 @@
+tcp dport 143 counter accept;

main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/22

@@ -0,0 +1 @@
+tcp dport 22 counter accept;

main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/25

@@ -0,0 +1 @@
+tcp dport 25 counter accept;

main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/443

@@ -0,0 +1 @@
+tcp dport 443 counter accept;

main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/465

@@ -0,0 +1 @@
+tcp dport 465 counter accept;

main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/51413

@@ -0,0 +1 @@
+tcp dport 51413 counter accept;

main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/53

@@ -0,0 +1 @@
+tcp dport 53 counter accept;

main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/587

@@ -0,0 +1 @@
+tcp dport 587 counter accept;

main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/64738

@@ -0,0 +1 @@
+tcp dport 64738 counter accept;

main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/7777

@@ -0,0 +1 @@
+tcp dport 7777 counter accept;

main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/80

@@ -0,0 +1 @@
+tcp dport 80 counter accept;

main/nnd-nft/nft/inet/nnd-base/filter/input/tcp/993

@@ -0,0 +1 @@
+tcp dport 993 counter accept;

main/nnd-nft/nft/inet/nnd-base/filter/input/udp/26000

@@ -0,0 +1 @@
+tcp dport 26000 counter accept;

main/nnd-nft/nft/inet/nnd-base/filter/input/udp/51413

@@ -0,0 +1 @@
+tcp dport 51413 counter accept;

main/nnd-nft/nft/inet/nnd-base/filter/input/udp/51820

@@ -0,0 +1 @@
+tcp dport 51820 counter accept;

main/nnd-nft/nft/inet/nnd-base/filter/input/udp/53

@@ -0,0 +1 @@
+tcp dport 53 counter accept;

main/nnd-nft/nft/inet/nnd-base/filter/input/udp/64783

@@ -0,0 +1 @@
+tcp dport 64783 counter accept;

main/nnd-nft/nft/inet/nnd-base/table

@@ -1,17 +1,14 @@
 table inet nnd-base {
 	chain rxfilter {
 		type filter hook input priority 0;
-		policy reject;
-
-		ct state invalid counter drop;
-		icmpx            counter accept;
+		policy drop;
 
 		include "inet/nnd-base/filter/input/*";
 		counter reject with icmpx type admin-prohibited;
 	}
 	chain fwfilter {
 		type filter hook forward priority 0;
-		policy reject;
+		policy drop;
 		include "inet/nnd-base/filter/forward/*";
 		counter reject with icmpx type no-route;
 	}

main/nnd-s6-services/APKBUILD

@@ -1,12 +1,11 @@
 # Contributor: Alex Denes <caskd@redxen.eu>
 # Maintainer: Alex Denes <caskd@redxen.eu>
+. ../../APKBUILD.template
+
 pkgname=nnd-s6-services
-pkgver=1.6
+pkgver=1.8
 pkgrel=0
 pkgdesc="Base services for s6"
-url="none"
-arch="noarch"
-license="MIT"
 depends="s6-rc s6-portable-utils s6-linux-utils"
 builddir="$srcdir/"
 _distpfx="etc/s6/dist"

main/nnd-s6-services/env/nftables/RULEDIR

@@ -0,0 +1 @@
+/etc/nnd/nftables/

main/nnd-s6-services/env/nftables/RULESET

@@ -0,0 +1 @@
+/etc/nnd/nftables/loadall

main/nnd-s6-services/manage.sh

@@ -60,7 +60,7 @@ distdefs() {
 	for cdir in "$SDIR"/*; do
 		local srv="${cdir##*/}"
 		local dsv="$DPATH/$srv"
-		if [ ! -d "$dsv" ]; then
+		if [ ! -e "$dsv" ]; then
 			ln -sv "$cdir" "$dsv" || ERR="$?" error "Failed to create reference"
 		fi
 	done

main/nnd-s6-services/rc/nftables/up

@@ -1,12 +1,14 @@
 #!/bin/execlineb -P
 s6-envdir -i /etc/s6/env/path
 importas -i PATH PATH
+s6-envdir -i /etc/s6/env/nftables
+importas -i RULESET RULESET
+importas -i RULEDIR RULEDIR
 emptyenv
 
 export PATH $PATH
-define RULESET /etc/nftables/core.nft
 
 fdclose 1
 fdclose 2
 
-exec nft -f ${RULESET}
+exec nft -I $RULEDIR -f $RULESET