rpms/nftables
5
0
Fork 0
Code Issues Pull Requests Releases Activity

Ship a more advanced default config. Fixes rhbz#1999596

Browse Source
This commit is contained in:
Phil Sutter 2022-02-03 18:17:59 +01:00
parent 9b907271ec
commit de6fc1c6f7
5 changed files with 133 additions and 23 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

64
main.nft Normal file
View File

@ -0,0 +1,64 @@
# Sample configuration for nftables service.
# Load this by calling 'nft -f /etc/nftables/main.nft'.
# Note about base chain priorities:
# The priority values used in these sample configs are
# offset by 20 in order to avoid ambiguity when firewalld
# is also running which uses an offset of 10. This means
# that packets will traverse firewalld first and if not
# dropped/rejected there will hit the chains defined here.
# Chains created by iptables, ebtables and arptables tools
# do not use an offset, so those chains are traversed first
# in any case.
# drop any existing nftables ruleset
flush ruleset
# a common table for both IPv4 and IPv6
table inet nftables_svc {
# protocols to allow
set allowed_protocols {
type inet_proto
elements = { icmp, icmpv6 }
}
# interfaces to accept any traffic on
set allowed_interfaces {
type ifname
elements = { "lo" }
}
# services to allow
set allowed_tcp_dports {
type inet_service
elements = { ssh, 9090 }
}
# this chain gathers all accept conditions
chain allow {
ct state established,related accept
meta l4proto @allowed_protocols accept
iifname @allowed_interfaces accept
tcp dport @allowed_tcp_dports accept
}
# base-chain for traffic to this host
chain INPUT {
type filter hook input priority filter + 20
policy accept
jump allow
reject with icmpx type port-unreachable
}
}
# By default, any forwarding traffic is allowed.
# Uncomment the following line to filter it based
# on the same criteria as input traffic.
#include "/etc/nftables/router.nft"
# Uncomment the following line to enable masquerading of
# forwarded traffic. May be used with or without router.nft.
#include "/etc/nftables/nat.nft"

30
nat.nft Normal file
View File

@ -0,0 +1,30 @@
# Sample configuration snippet for nftables service.
# Meant to be included by main.nft, not for direct use.
# dedicated table for IPv4
table ip nftables_svc {
# interfaces to masquerade traffic from
set masq_interfaces {
type ifname
elements = { "virbr0" }
}
# networks to masquerade traffic from
# 'interval' flag is required to support subnets
set masq_ips {
type ipv4_addr
flags interval
elements = { 192.168.122.0/24 }
}
# base-chain to manipulate conntrack in postrouting,
# will see packets for new or related traffic only
chain POSTROUTING {
type nat hook postrouting priority srcnat + 20
policy accept
iifname @masq_interfaces oifname != @masq_interfaces masquerade
ip saddr @masq_ips masquerade
}
}

25
nftables.conf
View File

@ -1,17 +1,8 @@
# # Uncomment the include statement here to load the default config sample
# This file will contain your nftables rules and # in /etc/nftables for nftables service.
# is read by the systemd service when restarting
# #include "/etc/nftables/main.nft"
# These provide an iptables like set of filters
# (uncomment to include) # To customize, either edit the samples in /etc/nftables, append further
# include "/etc/nftables/arp-filter.nft" # commands to the end of this file or overwrite it after first service
# include "/etc/nftables/bridge-filter.nft" # start by calling: 'nft list ruleset >/etc/sysconfig/nftables.conf'.
# include "/etc/nftables/inet-filter.nft"
# include "/etc/nftables/ipv4-filter.nft"
# include "/etc/nftables/ipv4-mangle.nft"
# include "/etc/nftables/ipv4-nat.nft"
# include "/etc/nftables/ipv4-raw.nft"
# include "/etc/nftables/ipv6-filter.nft"
# include "/etc/nftables/ipv6-mangle.nft"
# include "/etc/nftables/ipv6-nat.nft"
# include "/etc/nftables/ipv6-raw.nft"

21
nftables.spec
View File

@ -1,6 +1,6 @@
Name: nftables Name: nftables
Version: 1.0.1 Version: 1.0.1
Release: 2%{?dist} Release: 3%{?dist}
# Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track. # Upstream released a 0.100 version, then 0.4. Need Epoch to get back on track.
Epoch: 1 Epoch: 1
Summary: Netfilter Tables userspace utilites Summary: Netfilter Tables userspace utilites
@ -10,6 +10,9 @@ URL: https://netfilter.org/projects/nftables/
Source0: %{url}/files/%{name}-%{version}.tar.bz2 Source0: %{url}/files/%{name}-%{version}.tar.bz2
Source1: nftables.service Source1: nftables.service
Source2: nftables.conf Source2: nftables.conf
Source3: main.nft
Source4: router.nft
Source5: nat.nft
# already upstream at https://git.netfilter.org/nftables/commit/?id=8492878961248b4b53fa97383c7c1b15d7062947 # already upstream at https://git.netfilter.org/nftables/commit/?id=8492878961248b4b53fa97383c7c1b15d7062947
Patch1: nftables-1.0.1-drop-historyh.patch Patch1: nftables-1.0.1-drop-historyh.patch
@ -71,6 +74,9 @@ find $RPM_BUILD_ROOT -name '*.la' -exec rm -f {} ';'
# Don't ship static lib (for now at least) # Don't ship static lib (for now at least)
rm -f $RPM_BUILD_ROOT/%{_libdir}/libnftables.a rm -f $RPM_BUILD_ROOT/%{_libdir}/libnftables.a
# drop vendor-provided configs, they are not really useful
rm -f $RPM_BUILD_ROOT/%{_datadir}/nftables/*.nft
chmod 644 $RPM_BUILD_ROOT/%{_mandir}/man8/nft* chmod 644 $RPM_BUILD_ROOT/%{_mandir}/man8/nft*
mkdir -p $RPM_BUILD_ROOT/%{_unitdir} mkdir -p $RPM_BUILD_ROOT/%{_unitdir}
@ -78,13 +84,13 @@ cp -a %{SOURCE1} $RPM_BUILD_ROOT/%{_unitdir}/
mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig mkdir -p $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig
cp -a %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/ cp -a %{SOURCE2} $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/
chmod 600 $RPM_BUILD_ROOT/%{_sysconfdir}/sysconfig/nftables.conf
mkdir -m 700 -p $RPM_BUILD_ROOT/%{_sysconfdir}/nftables cp %{SOURCE3} %{SOURCE4} %{SOURCE5} \
mv $RPM_BUILD_ROOT/%{_datadir}/nftables/*.nft \
$RPM_BUILD_ROOT/%{_sysconfdir}/nftables/ $RPM_BUILD_ROOT/%{_sysconfdir}/nftables/
chmod 600 $RPM_BUILD_ROOT/%{_sysconfdir}/nftables/*.nft
chmod 700 $RPM_BUILD_ROOT/%{_sysconfdir}/nftables find $RPM_BUILD_ROOT/%{_sysconfdir} \
\( -type d -exec chmod 0700 {} \; \) , \
\( -type f -exec chmod 0600 {} \; \)
# make nftables.py use the real library file name # make nftables.py use the real library file name
# to avoid nftables-devel package dependency # to avoid nftables-devel package dependency
@ -125,6 +131,9 @@ sed -i -e 's/\(sofile=\)".*"/\1"'$sofile'"/' \
%{python3_sitelib}/nftables/ %{python3_sitelib}/nftables/
%changelog %changelog
* Thu Feb 03 2022 Phil Sutter <psutter@redhat.com> - 1:1.0.1-3
- Ship a more advanced default config. Fixes rhbz#1999596
* Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.0.1-2 * Thu Jan 20 2022 Fedora Release Engineering <releng@fedoraproject.org> - 1:1.0.1-2
- Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild - Rebuilt for https://fedoraproject.org/wiki/Fedora_36_Mass_Rebuild

16
router.nft Normal file
View File

@ -0,0 +1,16 @@
# Sample configuration snippet for nftables service.
# Meant to be included by main.nft, not for direct use.
# a common table for both IPv4 and IPv6
table inet nftables_svc {
# base-chain for traffic forwarded by this host
# re-uses 'allow' chain from main.nft
chain FORWARD {
type filter hook forward priority filter + 20
policy accept
jump allow
reject with icmpx type host-unreachable
}
}