files: Add inet family nat config

Signed-off-by: Phil Sutter <phil@nwl.cc>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/files/nftables/Makefile.am b/files/nftables/Makefile.am
index a93b7978f62d4991f0b36e3e1f9d15e1c7a339de..2a511cd1729c1870b22df6a4a951fb0f6ac20473 100644 (file)
--- a/files/nftables/Makefile.am
+++ b/files/nftables/Makefile.am
@@ -3,6 +3,7 @@ dist_pkgsysconf_DATA =  all-in-one.nft          \
                        arp-filter.nft          \
                        bridge-filter.nft       \
                        inet-filter.nft         \
+                       inet-nat.nft            \
                        ipv4-filter.nft         \
                        ipv4-mangle.nft         \
                        ipv4-nat.nft            \

diff --git a/files/nftables/all-in-one.nft b/files/nftables/all-in-one.nft
index 4ccc043259c109281f4d7c2219967315c617de5e..d3aa7f37f29f1fb5e26246939d99788a6183b97c 100755 (executable)
--- a/files/nftables/all-in-one.nft
+++ b/files/nftables/all-in-one.nft
@@ -13,6 +13,7 @@ flush ruleset
 
 # native dual stack IPv4 & IPv6 family
 include "./inet-filter.nft"
+include "./inet-nat.nft"
 
 # netdev family at ingress hook. Attached to a given NIC
 include "./netdev-ingress.nft"

diff --git a/files/nftables/inet-nat.nft b/files/nftables/inet-nat.nft
new file mode 100755 (executable)
index 0000000..52fcdb5
--- /dev/null
+++ b/files/nftables/inet-nat.nft
@@ -0,0 +1,8 @@
+#!@sbindir@nft -f
+
+table inet nat {
+       chain prerouting        { type nat hook prerouting priority -100; }
+       chain input             { type nat hook input priority 100; }
+       chain output            { type nat hook output priority -100; }
+       chain postrouting       { type nat hook postrouting priority 100; }
+}