From c74f5b9ec6de7fffa13fbdeaa0338413f9f28dab Mon Sep 17 00:00:00 2001 From: Francesco Marinucci Date: Thu, 15 Nov 2018 16:01:20 +0100 Subject: [PATCH] [skip-ci] nftables: imported from CCR to build firewalld, #88 --- nftables/PKGBUILD | 51 +++++++++++++++++++++++++++++++++++++++ nftables/nftables.conf | 38 +++++++++++++++++++++++++++++ nftables/nftables.service | 15 ++++++++++++ 3 files changed, 104 insertions(+) create mode 100644 nftables/PKGBUILD create mode 100644 nftables/nftables.conf create mode 100644 nftables/nftables.service diff --git a/nftables/PKGBUILD b/nftables/PKGBUILD new file mode 100644 index 000000000..2f1949f8a --- /dev/null +++ b/nftables/PKGBUILD @@ -0,0 +1,51 @@ + +pkgname=nftables +pkgver=0.9.0 +pkgrel=2 +pkgdesc='Netfilter tables userspace tools' +arch=('x86_64') +url='https://netfilter.org/projects/nftables/' +license=('GPL2') +depends=('libmnl' 'libnftnl' 'gmp' 'readline' 'ncurses') +makedepends=('docbook2x') +backup=('etc/nftables.conf') +source=("https://netfilter.org/projects/nftables/files/nftables-$pkgver.tar.bz2" + 'nftables.conf' + 'nftables.service') +sha1sums=('a3463fc6589c08631ec3f306f6db7f0905249542' + '7869aa31ac802922073310ffd4cbbc16450171e5' + '59185e947ebfd599954800ad2c774171b3f4cd58') + +prepare() { + cd $pkgname-$pkgver + # apply patch from the source array (should be a pacman feature) + local filename + for filename in "${source[@]}"; do + if [[ "$filename" =~ \.patch$ ]]; then + msg2 "Applying patch ${filename##*/}" + patch -p1 -N -i "$srcdir/${filename##*/}" + fi + done + : +} + +build() { + cd $pkgname-$pkgver + ./configure \ + --prefix=/usr \ + --sbindir=/usr/bin \ + --sysconfdir=/usr/share \ + CONFIG_MAN=y DB2MAN=docbook2man + make +} + +package() { + pushd $pkgname-$pkgver + make DESTDIR="$pkgdir" install + popd + # basic safe firewall config + install -Dm644 nftables.conf "$pkgdir/etc/nftables.conf" + # systemd + install -Dm644 nftables.service "$pkgdir/usr/lib/systemd/system/nftables.service" +} + diff --git a/nftables/nftables.conf b/nftables/nftables.conf new file mode 100644 index 000000000..2d3063758 --- /dev/null +++ b/nftables/nftables.conf @@ -0,0 +1,38 @@ +#!/usr/bin/nft -f +# ipv4/ipv6 Simple & Safe Firewall +# you can find examples in /usr/share/nftables/ + +table inet filter { + chain input { + type filter hook input priority 0; + + # allow established/related connections + ct state {established, related} accept + + # early drop of invalid connections + ct state invalid drop + + # allow from loopback + iifname lo accept + + # allow icmp + ip protocol icmp accept + ip6 nexthdr icmpv6 accept + + # allow ssh + tcp dport ssh accept + + # everything else + reject with icmpx type port-unreachable + } + chain forward { + type filter hook forward priority 0; + drop + } + chain output { + type filter hook output priority 0; + } + +} + +# vim:set ts=2 sw=2 et: diff --git a/nftables/nftables.service b/nftables/nftables.service new file mode 100644 index 000000000..6305b625c --- /dev/null +++ b/nftables/nftables.service @@ -0,0 +1,15 @@ +[Unit] +Description=Netfilter Tables +Documentation=man:nft(8) +Wants=network-pre.target +Before=network-pre.target + +[Service] +Type=oneshot +ExecStart=/usr/bin/nft -f /etc/nftables.conf +ExecReload=/usr/bin/nft flush ruleset ';' include '"/etc/nftables.conf"' +ExecStop=/usr/bin/nft flush ruleset +RemainAfterExit=yes + +[Install] +WantedBy=multi-user.target