commit 98cb12a46d4112fb19dbcc7da3807970e5a5f75d Author: Tim Biermann <tbier@posteo.de> Date: Sun Feb 27 20:25:16 2022 +0100 nftables: 1.0.1 -> 1.0.2; added rc script and basic workstation config diff --git a/nftables/.footprint b/nftables/.footprint index 861c6905..ecab0231 100644 --- a/nftables/.footprint +++ b/nftables/.footprint @@ -1,3 +1,7 @@ +drwxr-xr-x root/root etc/ +-rw------- root/root etc/nftables +drwxr-xr-x root/root etc/rc.d/ +-rwxr-xr-x root/root etc/rc.d/nftables drwxr-xr-x root/root usr/ drwxr-xr-x root/root usr/bin/ -rwxr-xr-x root/root usr/bin/nft @@ -5,7 +9,6 @@ drwxr-xr-x root/root usr/include/ drwxr-xr-x root/root usr/include/nftables/ -rw-r--r-- root/root usr/include/nftables/libnftables.h drwxr-xr-x root/root usr/lib/ --rw-r--r-- root/root usr/lib/libnftables.a -rwxr-xr-x root/root usr/lib/libnftables.la lrwxrwxrwx root/root usr/lib/libnftables.so -> libnftables.so.1.1.0 lrwxrwxrwx root/root usr/lib/libnftables.so.1 -> libnftables.so.1.1.0 diff --git a/nftables/.signature b/nftables/.signature index 144a4166..98af9d6c 100644 --- a/nftables/.signature +++ b/nftables/.signature @@ -1,5 +1,7 @@ untrusted comment: verify with /etc/ports/core.pub -RWRJc1FUaeVeqm+wXOg9imExDNpCDJSgIshdn/nq6aLY9h5NMbCHO3arouEYkCdl8tlYkIKaMYA/ampNt1ZKBfzKvZ1yp5lO7Q8= -SHA256 (Pkgfile) = abc8149e3f6ce1745460efb442fcffa062af5a21d6ef03d293cfa0c29bf3083a -SHA256 (.footprint) = 3eea0a22379683df5e19a85c598de3239f0d164f12dab13fd92f47f8814bb8ec -SHA256 (nftables-1.0.1.tar.bz2) = 3ceeba625818e81a0be293e9dd486c3ef799ebd92165270f1e57e9a201efa423 +RWRJc1FUaeVequyrayFxmb4qEYfhFnVANxKLcwo54FiDZkShnwtpttwwQmLmKtKxVcmOvCRzmEN2ntoiELusRLdzj3QHVDQZ3QY= +SHA256 (Pkgfile) = d9fc665e5b361b5d758e305b703683d39614c1038105e898e573efeb0339922a +SHA256 (.footprint) = 3af190e6dd19a2b16968ea5375f46752c0920b9c5711a62f8dd0fdad6dc95480 +SHA256 (nftables-1.0.2.tar.bz2) = 0b28a36ffcf4567b841de7bd3f37918b1fed27859eb48bdec51e1f7a83954c02 +SHA256 (nftables.conf) = bdbf69d9a32d7821e000b25ef115490c4efe03ae8ef08efa2b63a4dc239a2424 +SHA256 (nftables.init) = 919dbe340e40ea8b3a79e4270a7ada2d4125af46b5e4c73fb3cb231a8f06a5de diff --git a/nftables/Pkgfile b/nftables/Pkgfile index e9e87362..ab4093cb 100644 --- a/nftables/Pkgfile +++ b/nftables/Pkgfile @@ -4,9 +4,10 @@ # Depends on: jansson libedit libgmp libnftnl python3 name=nftables -version=1.0.1 +version=1.0.2 release=1 -source=(https://www.netfilter.org/pub/nftables/nftables-$version.tar.bz2) +source=(https://www.netfilter.org/pub/nftables/nftables-$version.tar.bz2 + nftables.conf nftables.init) build() { cd $name-$version @@ -19,13 +20,16 @@ build() { --sysconfdir=/usr/share \ --with-json \ --with-cli=readline \ - --disable-debug \ - --with-python-bin=/usr/bin/python3 + --with-python-bin=/usr/bin/python3 \ + --disable-debug make make DESTDIR=$PKG install /usr/bin/python3 -m compileall -d / $PKG/usr/lib /usr/bin/python3 -O -m compileall -d / $PKG/usr/lib + install -D -m 755 $SRC/nftables.init $PKG/etc/rc.d/nftables + install -D -m 600 $SRC/nftables.conf $PKG/etc/nftables + rm -r $PKG/usr/share/doc } diff --git a/nftables/nftables.conf b/nftables/nftables.conf new file mode 100644 index 00000000..0129c9f6 --- /dev/null +++ b/nftables/nftables.conf @@ -0,0 +1,21 @@ +#!/usr/bin/nft -f + +## This is a basic workstation configuration based on +## https://wiki.nftables.org/wiki-nftables/index.php/Simple_ruleset_for_a_works... + +flush ruleset + +table ip filter { + chain input { + type filter hook input priority 0; policy drop; + + # accept any localhost traffic + iif lo accept + + # accept traffic originated from us + ct state established,related accept + + # accept traffic originated from us + tcp dport 22 accept comment "Accept SSH on port 22" + } +} diff --git a/nftables/nftables.init b/nftables/nftables.init new file mode 100644 index 00000000..48f66036 --- /dev/null +++ b/nftables/nftables.init @@ -0,0 +1,54 @@ +#!/bin/sh +# +# /etc/rc.d/nftables: start/stop nftables +# + +PROG=/usr/bin/nft +CONF=/etc/nftables +LOADOPTS="-f" +SHOWOPTS="-s list ruleset" +RESETRULES="flush ruleset" + +_store() { + umask 022 + NFTABLES_STORE=${2:-'/etc/nftables'} + tmp_save="${NFTABLES_STORE}.tmp" + $PROG $SHOWOPTS > "$tmp_save" + retval=$? + if [ ${retval} ]; then + mv "${tmp_save}" "${NFTABLES_STORE}" + fi + unset NFTABLES_STORE tmp_save retval +} + +case $1 in + start) + $PROG $LOADOPTS $CONF + ;; + stop) + $PROG "$RESETRULES" + ;; + restart) + $0 stop + $0 start + ;; + status) + if [ "$($PROG $SHOWOPTS | head -c1 | wc -c )" -ne 0 ]; then + printf '%s\n' \ + "Some rules are loaded, view them with \"$PROG $SHOWOPTS\"." + else + printf '%s\n' "There are no rules loaded!" + fi + ;; + show) + $PROG $SHOWOPTS + ;; + store) + _store "$2" + ;; + *) + echo "Usage: $0 [start|stop|restart|status|show|store]" + ;; +esac + +# End of file