files: provide 'raw' table equivalent

useful for the 'ct zone set' statement, it has to be done before
the conntrack lookup but preferrably after the defragmention hook.

In iptables, the functionality resides in the CT target which is
restricted to the raw table.  This provides the skeleton for nft.

Signed-off-by: Florian Westphal <fw@strlen.de>

diff --git a/files/nftables/Makefile.am b/files/nftables/Makefile.am
index 1378e2b684f1d02b176f9dc2fb456c31ff6fb7a3..a4c7ac7c980b8d5c92270f5c61375931dce1de4e 100644 (file)
--- a/files/nftables/Makefile.am
+++ b/files/nftables/Makefile.am
@@ -5,9 +5,11 @@ dist_pkgsysconf_DATA = bridge-filter   \
                        ipv4-filter     \
                        ipv4-mangle     \
                        ipv4-nat        \
+                       ipv4-raw        \
                        ipv6-filter     \
                        ipv6-mangle     \
-                       ipv6-nat
+                       ipv6-nat        \
+                       ipv6-raw
 
 install-data-hook:
        ${SED} -i 's|@sbindir[@]|${sbindir}/|g' ${DESTDIR}${pkgsysconfdir}/*

diff --git a/files/nftables/ipv4-raw b/files/nftables/ipv4-raw
new file mode 100644 (file)
index 0000000..19773ee
--- /dev/null
+++ b/files/nftables/ipv4-raw
@@ -0,0 +1,6 @@
+#! @sbindir@nft -f
+
+table raw {
+       chain prerouting        { type filter hook prerouting priority -300; }
+       chain output            { type filter hook output priority -300; }
+}

diff --git a/files/nftables/ipv6-raw b/files/nftables/ipv6-raw
new file mode 100644 (file)
index 0000000..5ee56a8
--- /dev/null
+++ b/files/nftables/ipv6-raw
@@ -0,0 +1,6 @@
+#! @sbindir@nft -f
+
+table ip6 raw {
+       chain prerouting        { type filter hook prerouting priority -300; }
+       chain output            { type filter hook output priority -300; }
+}