nftables: rearrange files and examples

Concatenate all family/hook examples into a single one by means of includes. Put all example files under examples/. Use the '.nft' prefix and mark them as executable files. Use a static shebang declaration, since these are examples meant for final systems and users. While at it, refresh also the sets_and_maps.nft example file and also add the 'netdev-ingress.nft' example file. Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org> Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>
author: Arturo Borrero Gonzalez <arturo@netfilter.org> 2018-02-24 22:06:19 +0100
committer: Pablo Neira Ayuso <pablo@netfilter.org> 2018-02-25 19:50:23 +0100
commit: 6c9230e79339ca4fd662855c84529fa92e962ca5 (patch)
tree: 9d34224c6e5a8799edde4a5a7fa20517b7ee630f /files
parent: 4d6ad0f310d6cc3a1d776d32d9d7d678017c6dd7 (diff)
16 files changed, 55 insertions, 32 deletions
diff --git a/files/Makefile.am b/files/Makefile.am
deleted file mode 100644
index a8394c06..00000000
--- a/files/Makefile.am
+++ /dev/null
@@ -1 +0,0 @@
-SUBDIRS = nftables
diff --git a/files/nftables/arp-filter b/files/examples/arp-filter.nft
index bcabf28a..13166bda 100644..100755
--- a/files/nftables/arp-filter
+++ b/files/examples/arp-filter.nft
@@ -1,4 +1,4 @@
-#! @sbindir@nft -f
+#!/usr/sbin/nft -f
 
 table arp filter {
 	chain input		{ type filter hook input priority 0; }
diff --git a/files/nftables/bridge-filter b/files/examples/bridge-filter.nft
index 2add455d..7e3cad40 100644..100755
--- a/files/nftables/bridge-filter
+++ b/files/examples/bridge-filter.nft
@@ -1,4 +1,4 @@
-#! @sbindir@nft -f
+#!/usr/sbin/nft -f
 
 table bridge filter {
 	chain input		{ type filter hook input priority -200; }
diff --git a/files/examples/families_and_hooks.nft b/files/examples/families_and_hooks.nft
new file mode 100755
index 00000000..e6d9ee23
--- /dev/null
+++ b/files/examples/families_and_hooks.nft
@@ -0,0 +1,32 @@
+#!/usr/sbin/nft -f
+
+# Here is an example of different families, hooks and priorities in the
+# nftables framework, all mixed together.
+# This script is mean to be loaded with `nft -f <file>`
+# For up-to-date information please visit http://wiki.nftables.org
+
+flush ruleset
+
+# native dual stack IPv4 & IPv6 family
+include "./inet-filter.nft"
+
+# netdev family at ingress hook. Attached to a given NIC
+include "./netdev-ingress.nft"
+
+# IPv4 family, typical iptables tables/chains layout
+include "./ipv4-filter.nft"
+include "./ipv4-mangle.nft"
+include "./ipv4-nat.nft"
+include "./ipv4-raw.nft"
+
+# IPv6 family, typical ip6tables tables/chains layout
+include "./ipv6-filter.nft"
+include "./ipv6-mangle.nft"
+include "./ipv6-nat.nft"
+include "./ipv6-raw.nft"
+
+# ARP family, typical arptables tables/chain layout
+include "./arp-filter.nft"
+
+# bridge family, typical ebtables tables/chain layout
+include "./bridge-filter.nft"
diff --git a/files/nftables/inet-filter b/files/examples/inet-filter.nft
index f572db59..e5c8c54f 100644..100755
--- a/files/nftables/inet-filter
+++ b/files/examples/inet-filter.nft
@@ -1,4 +1,4 @@
-#! @sbindir@nft -f
+#!/usr/sbin/nft -f
 
 table inet filter {
 	chain input		{ type filter hook input priority 0; }
diff --git a/files/nftables/ipv4-filter b/files/examples/ipv4-filter.nft
index a4ca7f25..73b11bc9 100644..100755
--- a/files/nftables/ipv4-filter
+++ b/files/examples/ipv4-filter.nft
@@ -1,4 +1,4 @@
-#! @sbindir@nft -f
+#!/usr/sbin/nft -f
 
 table filter {
 	chain input		{ type filter hook input priority 0; }
diff --git a/files/nftables/ipv4-mangle b/files/examples/ipv4-mangle.nft
index be564a51..2827ddfa 100644..100755
--- a/files/nftables/ipv4-mangle
+++ b/files/examples/ipv4-mangle.nft
@@ -1,4 +1,4 @@
-#! @sbindir@nft -f
+#!/usr/sbin/nft -f
 
 table mangle {
 	chain output		{ type route hook output priority -150; }
diff --git a/files/nftables/ipv4-nat b/files/examples/ipv4-nat.nft
index 130a729b..fd3bb40c 100644..100755
--- a/files/nftables/ipv4-nat
+++ b/files/examples/ipv4-nat.nft
@@ -1,4 +1,4 @@
-#! @sbindir@nft -f
+#!/usr/sbin/nft -f
 
 table nat {
 	chain prerouting	{ type nat hook prerouting priority -100; }
diff --git a/files/nftables/ipv4-raw b/files/examples/ipv4-raw.nft
index 19773ee8..91fc138b 100644..100755
--- a/files/nftables/ipv4-raw
+++ b/files/examples/ipv4-raw.nft
@@ -1,4 +1,4 @@
-#! @sbindir@nft -f
+#!/usr/sbin/nft -f
 
 table raw {
 	chain prerouting	{ type filter hook prerouting priority -300; }
diff --git a/files/nftables/ipv6-filter b/files/examples/ipv6-filter.nft
index ce4d7de2..21f06a38 100644..100755
--- a/files/nftables/ipv6-filter
+++ b/files/examples/ipv6-filter.nft
@@ -1,4 +1,4 @@
-#! @sbindir@nft -f
+#!/usr/sbin/nft -f
 
 table ip6 filter {
 	chain input		{ type filter hook input priority 0; }
diff --git a/files/nftables/ipv6-mangle b/files/examples/ipv6-mangle.nft
index fa32402a..e92dbef6 100644..100755
--- a/files/nftables/ipv6-mangle
+++ b/files/examples/ipv6-mangle.nft
@@ -1,4 +1,4 @@
-#! @sbindir@nft -f
+#!/usr/sbin/nft -f
 
 table ip6 mangle {
 	chain output		{ type route hook output priority -150; }
diff --git a/files/nftables/ipv6-nat b/files/examples/ipv6-nat.nft
index e7816860..7437c193 100644..100755
--- a/files/nftables/ipv6-nat
+++ b/files/examples/ipv6-nat.nft
@@ -1,4 +1,4 @@
-#! @sbindir@nft -f
+#!/usr/sbin/nft -f
 
 table ip6 nat {
 	chain prerouting	{ type nat hook prerouting priority -100; }
diff --git a/files/nftables/ipv6-raw b/files/examples/ipv6-raw.nft
index 5ee56a83..812703aa 100644..100755
--- a/files/nftables/ipv6-raw
+++ b/files/examples/ipv6-raw.nft
@@ -1,4 +1,4 @@
-#! @sbindir@nft -f
+#!/usr/sbin/nft -f
 
 table ip6 raw {
 	chain prerouting	{ type filter hook prerouting priority -300; }
diff --git a/files/examples/netdev-ingress.nft b/files/examples/netdev-ingress.nft
new file mode 100755
index 00000000..2585d154
--- /dev/null
+++ b/files/examples/netdev-ingress.nft
@@ -0,0 +1,7 @@
+#!/usr/sbin/nft -f
+
+# mind the NIC, it must exists
+table netdev filter {
+        chain loinput { type filter hook ingress device lo priority 0; }
+}
+
diff --git a/files/examples/sets_and_maps b/files/examples/sets_and_maps.nft
index 58369a31..f5157b3b 100755
--- a/files/examples/sets_and_maps
+++ b/files/examples/sets_and_maps.nft
@@ -1,7 +1,8 @@
-#! /sbin/nft -nf
-#
-# Examples of set and map usage
-#
+#!/usr/sbin/nft -f
+
+# This example file shows how to use sets and maps in the nftables framework.
+# This script is meant to be loaded with `nft -f <file>`
+# For up-to-date information please visit http://wiki.nftables.org
 
 # symbolic anonymous set definition built from symbolic singleton definitions
 define int_if1	 = eth0
diff --git a/files/nftables/Makefile.am b/files/nftables/Makefile.am
deleted file mode 100644
index 77d5c2a6..00000000
--- a/files/nftables/Makefile.am
+++ /dev/null
@@ -1,16 +0,0 @@
-
-pkgsysconfdir = ${sysconfdir}/nftables
-dist_pkgsysconf_DATA =	arp-filter	\
-			bridge-filter	\
-			inet-filter	\
-			ipv4-filter	\
-			ipv4-mangle	\
-			ipv4-nat	\
-			ipv4-raw	\
-			ipv6-filter	\
-			ipv6-mangle	\
-			ipv6-nat	\
-			ipv6-raw
-
-install-data-hook:
-	${SED} -i 's|@sbindir[@]|${sbindir}/|g' ${DESTDIR}${pkgsysconfdir}/*
author	Arturo Borrero Gonzalez <arturo@netfilter.org>	2018-02-24 22:06:19 +0100
committer	Pablo Neira Ayuso <pablo@netfilter.org>	2018-02-25 19:50:23 +0100
commit	6c9230e79339ca4fd662855c84529fa92e962ca5 (patch)
tree	9d34224c6e5a8799edde4a5a7fa20517b7ee630f /files
parent	4d6ad0f310d6cc3a1d776d32d9d7d678017c6dd7 (diff)