nftables: rearrange files and examples

Concatenate all family/hook examples into a single one by means of includes.

Put all example files under examples/. Use the '.nft' prefix and mark
them as executable files. Use a static shebang declaration, since these
are examples meant for final systems and users.

While at it, refresh also the sets_and_maps.nft example file and also
add the 'netdev-ingress.nft' example file.

Signed-off-by: Arturo Borrero Gonzalez <arturo@netfilter.org>
Signed-off-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/Makefile.am b/Makefile.am
index 10aa40f14127fc03f050ad333f27d065b4a53279..5ef61be6dfecbfa82bd9ce9e03f7d97b02ed66c9 100644 (file)
--- a/Makefile.am
+++ b/Makefile.am
@@ -2,7 +2,7 @@ ACLOCAL_AMFLAGS = -I m4
 
 SUBDIRS =      src     \
                include \
-               doc     \
-               files
+               doc
 
-EXTRA_DIST =   tests
+EXTRA_DIST =   tests   \
+               files

diff --git a/configure.ac b/configure.ac
index 1a386535ed8b0ad125db60f851f80eeb15615fac..408a6bc37f7bcce536c885930f05e3d57fa0ae8d 100644 (file)
--- a/configure.ac
+++ b/configure.ac
@@ -140,8 +140,6 @@ AC_CONFIG_FILES([                                   \
                include/linux/netfilter_ipv4/Makefile   \
                include/linux/netfilter_ipv6/Makefile   \
                doc/Makefile                            \
-               files/Makefile                          \
-               files/nftables/Makefile                 \
                ])
 AC_OUTPUT
 

diff --git a/files/Makefile.am b/files/Makefile.am
deleted file mode 100644 (file)
index a8394c0..0000000
--- a/files/Makefile.am
+++ /dev/null
@@ -1 +0,0 @@
-SUBDIRS = nftables

diff --git a/files/nftables/arp-filter b/files/examples/arp-filter.nft
old mode 100644 (file)
new mode 100755 (executable)
similarity index 87%
rename from files/nftables/arp-filter
rename to files/examples/arp-filter.nft
index bcabf28..13166bd
--- a/files/nftables/arp-filter
+++ b/files/examples/arp-filter.nft
@@ -1,4 +1,4 @@
-#! @sbindir@nft -f
+#!/usr/sbin/nft -f
 
 table arp filter {
        chain input             { type filter hook input priority 0; }

diff --git a/files/nftables/bridge-filter b/files/examples/bridge-filter.nft
old mode 100644 (file)
new mode 100755 (executable)
similarity index 91%
rename from files/nftables/bridge-filter
rename to files/examples/bridge-filter.nft
index 2add455..7e3cad4
--- a/files/nftables/bridge-filter
+++ b/files/examples/bridge-filter.nft
@@ -1,4 +1,4 @@
-#! @sbindir@nft -f
+#!/usr/sbin/nft -f
 
 table bridge filter {
        chain input             { type filter hook input priority -200; }

diff --git a/files/examples/families_and_hooks.nft b/files/examples/families_and_hooks.nft
new file mode 100755 (executable)
index 0000000..e6d9ee2
--- /dev/null
+++ b/files/examples/families_and_hooks.nft
@@ -0,0 +1,32 @@
+#!/usr/sbin/nft -f
+
+# Here is an example of different families, hooks and priorities in the
+# nftables framework, all mixed together.
+# This script is mean to be loaded with `nft -f <file>`
+# For up-to-date information please visit https://wiki.nftables.org
+
+flush ruleset
+
+# native dual stack IPv4 & IPv6 family
+include "./inet-filter.nft"
+
+# netdev family at ingress hook. Attached to a given NIC
+include "./netdev-ingress.nft"
+
+# IPv4 family, typical iptables tables/chains layout
+include "./ipv4-filter.nft"
+include "./ipv4-mangle.nft"
+include "./ipv4-nat.nft"
+include "./ipv4-raw.nft"
+
+# IPv6 family, typical ip6tables tables/chains layout
+include "./ipv6-filter.nft"
+include "./ipv6-mangle.nft"
+include "./ipv6-nat.nft"
+include "./ipv6-raw.nft"
+
+# ARP family, typical arptables tables/chain layout
+include "./arp-filter.nft"
+
+# bridge family, typical ebtables tables/chain layout
+include "./bridge-filter.nft"

diff --git a/files/nftables/inet-filter b/files/examples/inet-filter.nft
old mode 100644 (file)
new mode 100755 (executable)
similarity index 90%
rename from files/nftables/inet-filter
rename to files/examples/inet-filter.nft
index f572db5..e5c8c54
--- a/files/nftables/inet-filter
+++ b/files/examples/inet-filter.nft
@@ -1,4 +1,4 @@
-#! @sbindir@nft -f
+#!/usr/sbin/nft -f
 
 table inet filter {
        chain input             { type filter hook input priority 0; }

diff --git a/files/nftables/ipv4-filter b/files/examples/ipv4-filter.nft
old mode 100644 (file)
new mode 100755 (executable)
similarity index 90%
rename from files/nftables/ipv4-filter
rename to files/examples/ipv4-filter.nft
index a4ca7f2..73b11bc
--- a/files/nftables/ipv4-filter
+++ b/files/examples/ipv4-filter.nft
@@ -1,4 +1,4 @@
-#! @sbindir@nft -f
+#!/usr/sbin/nft -f
 
 table filter {
        chain input             { type filter hook input priority 0; }

diff --git a/files/nftables/ipv4-mangle b/files/examples/ipv4-mangle.nft
old mode 100644 (file)
new mode 100755 (executable)
similarity index 79%
rename from files/nftables/ipv4-mangle
rename to files/examples/ipv4-mangle.nft
index be564a5..2827ddf
--- a/files/nftables/ipv4-mangle
+++ b/files/examples/ipv4-mangle.nft
@@ -1,4 +1,4 @@
-#! @sbindir@nft -f
+#!/usr/sbin/nft -f
 
 table mangle {
        chain output            { type route hook output priority -150; }

diff --git a/files/nftables/ipv4-nat b/files/examples/ipv4-nat.nft
old mode 100644 (file)
new mode 100755 (executable)
similarity index 92%
rename from files/nftables/ipv4-nat
rename to files/examples/ipv4-nat.nft
index 130a729..fd3bb40
--- a/files/nftables/ipv4-nat
+++ b/files/examples/ipv4-nat.nft
@@ -1,4 +1,4 @@
-#! @sbindir@nft -f
+#!/usr/sbin/nft -f
 
 table nat {
        chain prerouting        { type nat hook prerouting priority -100; }

diff --git a/files/nftables/ipv4-raw b/files/examples/ipv4-raw.nft
old mode 100644 (file)
new mode 100755 (executable)
similarity index 87%
rename from files/nftables/ipv4-raw
rename to files/examples/ipv4-raw.nft
index 19773ee..91fc138
--- a/files/nftables/ipv4-raw
+++ b/files/examples/ipv4-raw.nft
@@ -1,4 +1,4 @@
-#! @sbindir@nft -f
+#!/usr/sbin/nft -f
 
 table raw {
        chain prerouting        { type filter hook prerouting priority -300; }

diff --git a/files/nftables/ipv6-filter b/files/examples/ipv6-filter.nft
old mode 100644 (file)
new mode 100755 (executable)
similarity index 90%
rename from files/nftables/ipv6-filter
rename to files/examples/ipv6-filter.nft
index ce4d7de..21f06a3
--- a/files/nftables/ipv6-filter
+++ b/files/examples/ipv6-filter.nft
@@ -1,4 +1,4 @@
-#! @sbindir@nft -f
+#!/usr/sbin/nft -f
 
 table ip6 filter {
        chain input             { type filter hook input priority 0; }

diff --git a/files/nftables/ipv6-mangle b/files/examples/ipv6-mangle.nft
old mode 100644 (file)
new mode 100755 (executable)
similarity index 80%
rename from files/nftables/ipv6-mangle
rename to files/examples/ipv6-mangle.nft
index fa32402..e92dbef
--- a/files/nftables/ipv6-mangle
+++ b/files/examples/ipv6-mangle.nft
@@ -1,4 +1,4 @@
-#! @sbindir@nft -f
+#!/usr/sbin/nft -f
 
 table ip6 mangle {
        chain output            { type route hook output priority -150; }

diff --git a/files/nftables/ipv6-nat b/files/examples/ipv6-nat.nft
old mode 100644 (file)
new mode 100755 (executable)
similarity index 93%
rename from files/nftables/ipv6-nat
rename to files/examples/ipv6-nat.nft
index e781686..7437c19
--- a/files/nftables/ipv6-nat
+++ b/files/examples/ipv6-nat.nft
@@ -1,4 +1,4 @@
-#! @sbindir@nft -f
+#!/usr/sbin/nft -f
 
 table ip6 nat {
        chain prerouting        { type nat hook prerouting priority -100; }

diff --git a/files/nftables/ipv6-raw b/files/examples/ipv6-raw.nft
old mode 100644 (file)
new mode 100755 (executable)
similarity index 88%
rename from files/nftables/ipv6-raw
rename to files/examples/ipv6-raw.nft
index 5ee56a8..812703a
--- a/files/nftables/ipv6-raw
+++ b/files/examples/ipv6-raw.nft
@@ -1,4 +1,4 @@
-#! @sbindir@nft -f
+#!/usr/sbin/nft -f
 
 table ip6 raw {
        chain prerouting        { type filter hook prerouting priority -300; }

diff --git a/files/examples/netdev-ingress.nft b/files/examples/netdev-ingress.nft
new file mode 100755 (executable)
index 0000000..2585d15
--- /dev/null
+++ b/files/examples/netdev-ingress.nft
@@ -0,0 +1,7 @@
+#!/usr/sbin/nft -f
+
+# mind the NIC, it must exists
+table netdev filter {
+        chain loinput { type filter hook ingress device lo priority 0; }
+}
+

diff --git a/files/examples/sets_and_maps b/files/examples/sets_and_maps.nft
similarity index 82%
rename from files/examples/sets_and_maps
rename to files/examples/sets_and_maps.nft
index 58369a3190946d99a91550109931e23ad5f52309..f5157b3b278a0f2bf22ced80056939cd76f9049f 100755 (executable)
--- a/files/examples/sets_and_maps
+++ b/files/examples/sets_and_maps.nft
@@ -1,7 +1,8 @@
-#! /sbin/nft -nf
-#
-# Examples of set and map usage
-#
+#!/usr/sbin/nft -f
+
+# This example file shows how to use sets and maps in the nftables framework.
+# This script is meant to be loaded with `nft -f <file>`
+# For up-to-date information please visit https://wiki.nftables.org
 
 # symbolic anonymous set definition built from symbolic singleton definitions
 define int_if1  = eth0

diff --git a/files/nftables/Makefile.am b/files/nftables/Makefile.am
deleted file mode 100644 (file)
index 77d5c2a..0000000
--- a/files/nftables/Makefile.am
+++ /dev/null
@@ -1,16 +0,0 @@
-
-pkgsysconfdir = ${sysconfdir}/nftables
-dist_pkgsysconf_DATA = arp-filter      \
-                       bridge-filter   \
-                       inet-filter     \
-                       ipv4-filter     \
-                       ipv4-mangle     \
-                       ipv4-nat        \
-                       ipv4-raw        \
-                       ipv6-filter     \
-                       ipv6-mangle     \
-                       ipv6-nat        \
-                       ipv6-raw
-
-install-data-hook:
-       ${SED} -i 's|@sbindir[@]|${sbindir}/|g' ${DESTDIR}${pkgsysconfdir}/*