files: add arp filter and add in/output to nat skeleton

Signed-off-by: Florian Westphal <fw@strlen.de>
Acked-by: Pablo Neira Ayuso <pablo@netfilter.org>

diff --git a/files/nftables/Makefile.am b/files/nftables/Makefile.am
index a4c7ac7c980b8d5c92270f5c61375931dce1de4e..77d5c2a66e8fd22626ca78a2f22f3d164491ec58 100644 (file)
--- a/files/nftables/Makefile.am
+++ b/files/nftables/Makefile.am
@@ -1,6 +1,7 @@
 
 pkgsysconfdir = ${sysconfdir}/nftables
-dist_pkgsysconf_DATA = bridge-filter   \
+dist_pkgsysconf_DATA = arp-filter      \
+                       bridge-filter   \
                        inet-filter     \
                        ipv4-filter     \
                        ipv4-mangle     \

diff --git a/files/nftables/arp-filter b/files/nftables/arp-filter
new file mode 100644 (file)
index 0000000..bcabf28
--- /dev/null
+++ b/files/nftables/arp-filter
@@ -0,0 +1,6 @@
+#! @sbindir@nft -f
+
+table arp filter {
+       chain input             { type filter hook input priority 0; }
+       chain output            { type filter hook output priority 0; }
+}

diff --git a/files/nftables/ipv4-nat b/files/nftables/ipv4-nat
index 01c6c3d8d6a1a21b616b689c2cb306798efce4b5..130a729b1d36fa1ac5062ac885f6b278af9500b2 100644 (file)
--- a/files/nftables/ipv4-nat
+++ b/files/nftables/ipv4-nat
@@ -1,6 +1,8 @@
 #! @sbindir@nft -f
 
 table nat {
-       chain prerouting        { type nat hook prerouting priority -150; }
-       chain postrouting       { type nat hook postrouting priority -150; }
+       chain prerouting        { type nat hook prerouting priority -100; }
+       chain input             { type nat hook input priority 100; }
+       chain output            { type nat hook output priority -100; }
+       chain postrouting       { type nat hook postrouting priority 100; }
 }

diff --git a/files/nftables/ipv6-nat b/files/nftables/ipv6-nat
index 3f57c56dea78c3d4e93f2bdb1e90def4204563fb..e7816860f4a761a27c5b1ad7b7b04a6d0a4f2178 100644 (file)
--- a/files/nftables/ipv6-nat
+++ b/files/nftables/ipv6-nat
@@ -1,6 +1,8 @@
 #! @sbindir@nft -f
 
 table ip6 nat {
-       chain prerouting        { type nat hook prerouting priority -150; }
-       chain postrouting       { type nat hook postrouting priority -150; }
+       chain prerouting        { type nat hook prerouting priority -100; }
+       chain input             { type nat hook input priority 100; }
+       chain output            { type nat hook output priority -100; }
+       chain postrouting       { type nat hook postrouting priority 100; }
 }