[skip-ci] nftables: imported from CCR to build firewalld, #88

2025-01-23 09:22:12 +08:00 · 2018-11-15 16:01:20 +01:00 · 2018-11-15 16:01:20 +01:00 · c74f5b9ec6
commit c74f5b9ec6
parent 81be5ab121
3 changed files with 104 additions and 0 deletions
--- a/nftables/PKGBUILD
+++ b/nftables/PKGBUILD
@ -0,0 +1,51 @@
+
+pkgname=nftables
+pkgver=0.9.0
+pkgrel=2
+pkgdesc='Netfilter tables userspace tools'
+arch=('x86_64')
+url='https://netfilter.org/projects/nftables/'
+license=('GPL2')
+depends=('libmnl' 'libnftnl' 'gmp' 'readline' 'ncurses')
+makedepends=('docbook2x')
+backup=('etc/nftables.conf')
+source=("https://netfilter.org/projects/nftables/files/nftables-$pkgver.tar.bz2"
+        'nftables.conf'
+        'nftables.service')
+sha1sums=('a3463fc6589c08631ec3f306f6db7f0905249542'
+          '7869aa31ac802922073310ffd4cbbc16450171e5'
+          '59185e947ebfd599954800ad2c774171b3f4cd58')
+
+prepare() {
+  cd $pkgname-$pkgver
+  # apply patch from the source array (should be a pacman feature)
+  local filename
+  for filename in "${source[@]}"; do
+    if [[ "$filename" =~ \.patch$ ]]; then
+      msg2 "Applying patch ${filename##*/}"
+      patch -p1 -N -i "$srcdir/${filename##*/}"
+    fi
+  done
+  :
+}
+
+build() {
+  cd $pkgname-$pkgver
+  ./configure \
+    --prefix=/usr \
+    --sbindir=/usr/bin \
+    --sysconfdir=/usr/share \
+    CONFIG_MAN=y DB2MAN=docbook2man
+  make
+}
+
+package() {
+  pushd $pkgname-$pkgver
+  make DESTDIR="$pkgdir" install
+  popd
+  # basic safe firewall config
+  install -Dm644 nftables.conf "$pkgdir/etc/nftables.conf"
+  # systemd
+  install -Dm644 nftables.service "$pkgdir/usr/lib/systemd/system/nftables.service"
+}
+
--- a/nftables/nftables.conf
+++ b/nftables/nftables.conf
@ -0,0 +1,38 @@
+#!/usr/bin/nft -f
+# ipv4/ipv6 Simple & Safe Firewall
+# you can find examples in /usr/share/nftables/
+
+table inet filter {
+  chain input {
+    type filter hook input priority 0;
+
+    # allow established/related connections
+    ct state {established, related} accept
+
+    # early drop of invalid connections
+    ct state invalid drop
+
+    # allow from loopback
+    iifname lo accept
+
+    # allow icmp
+    ip protocol icmp accept
+    ip6 nexthdr icmpv6 accept
+
+    # allow ssh
+    tcp dport ssh accept
+
+    # everything else
+    reject with icmpx type port-unreachable
+  }
+  chain forward {
+    type filter hook forward priority 0;
+    drop
+  }
+  chain output {
+    type filter hook output priority 0;
+  }
+
+}
+
+# vim:set ts=2 sw=2 et:
--- a/nftables/nftables.service
+++ b/nftables/nftables.service
@ -0,0 +1,15 @@
+[Unit]
+Description=Netfilter Tables
+Documentation=man:nft(8)
+Wants=network-pre.target
+Before=network-pre.target
+
+[Service]
+Type=oneshot
+ExecStart=/usr/bin/nft -f /etc/nftables.conf
+ExecReload=/usr/bin/nft flush ruleset ';' include '"/etc/nftables.conf"'
+ExecStop=/usr/bin/nft flush ruleset
+RemainAfterExit=yes
+
+[Install]
+WantedBy=multi-user.target