diff --git a/README.md b/README.md index 0bd8e1f..3442b14 100644 --- a/README.md +++ b/README.md @@ -1,2 +1,4 @@ # nftables +nftables replaces the popular {ip,ip6,arp,eb}tables. This software provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure, the connection tracking system, NAT, userspace queueing and logging subsystem. + diff --git a/nftables.conf b/nftables.conf new file mode 100644 index 0000000..fe835b3 --- /dev/null +++ b/nftables.conf @@ -0,0 +1,27 @@ +#!/usr/bin/nft -f +# vim:set ts=2 sw=2 et: + +# IPv4/IPv6 Simple & Safe firewall ruleset. +# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/. + +table inet filter +delete table inet filter +table inet filter { + chain input { + type filter hook input priority filter + policy drop + + ct state invalid drop comment "early drop of invalid connections" + ct state {established, related} accept comment "allow tracked connections" + iifname lo accept comment "allow from loopback" + ip protocol icmp accept comment "allow icmp" + meta l4proto ipv6-icmp accept comment "allow icmp v6" + tcp dport ssh accept comment "allow sshd" + pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited + counter + } + chain forward { + type filter hook forward priority filter + policy drop + } +} diff --git a/nftables.service b/nftables.service new file mode 100644 index 0000000..e3aa0c4 --- /dev/null +++ b/nftables.service @@ -0,0 +1,12 @@ +[Unit] +Description=Netfilter Tables +Documentation=man:nft(8) +Wants=network-pre.target +Before=network-pre.target + +[Service] +Type=oneshot +ExecStart=/usr/sbin/nft -f /etc/nftables/nftables.conf + +[Install] +WantedBy=multi-user.target diff --git a/nftables.spec b/nftables.spec new file mode 100644 index 0000000..6379239 --- /dev/null +++ b/nftables.spec @@ -0,0 +1,134 @@ +Name: nftables +Version: 1.0.8 +Release: 1mamba +Summary: Netfilter tables userspace tools +Group: Network/Security +Vendor: openmamba +Distribution: openmamba +Packager: Silvan Calarco +URL: https://netfilter.org/projects/nftables/index.html +Source: https://netfilter.org/projects/nftables/files/nftables-%{version}.tar.xz +Source1: nftables.conf +Source2: nftables.service +License: GPL +## AUTOBUILDREQ-BEGIN +BuildRequires: glibc-devel +BuildRequires: libgmp-devel +BuildRequires: libjansson-devel +BuildRequires: libmnl-devel +BuildRequires: libnftnl-devel +BuildRequires: libpython310-devel +BuildRequires: libreadline-devel +## AUTOBUILDREQ-END +Requires: lib%{name} = %{?epoch:%epoch:}%{version}-%{release} + +%description +nftables replaces the popular {ip,ip6,arp,eb}tables. This software provides a new in-kernel packet classification framework that is based on a network-specific Virtual Machine (VM) and a new nft userspace command line tool. nftables reuses the existing Netfilter subsystems such as the existing hook infrastructure, the connection tracking system, NAT, userspace queueing and logging subsystem. + +%package -n lib%{name} +Group: System/Libraries +Summary: Shared libraries for %{name} +Requires: %{name} = %{?epoch:%epoch:}%{version}-%{release} + +%description -n lib%{name} +This package contains shared libraries for %{name}. + +%package -n lib%{name}-devel +Group: Development/Libraries +Summary: Development files for %{name} +Requires: lib%{name} = %{?epoch:%epoch:}%{version}-%{release} +Requires: pkg-config + +%description -n lib%{name}-devel +This package contains libraries and header files for developing applications that use %{name}. + +%package -n python-nftables-py310 +Group: System/Libraries/Python +Summary: Python bindings to %{name} +Requires: %{name} = %{?epoch:%epoch:}%{version}-%{release} + +%description -n python-nftables-py310 +This package contains the Python bindings to %{name}. + +%debug_package + +%prep +%setup -q + +%build +%configure \ + --with-json \ + --with-cli=readline \ + --disable-python + +%make + +# From Arch: Building the Python module separately due to the automatic build resulting +# in an incorrect directory structure and unimportable module (see FS#79229) +cd py +%{__python310} -m build --wheel --no-isolation + +%install +[ "%{buildroot}" != / ] && rm -rf "%{buildroot}" +%makeinstall + +%{__python310} -m installer --destdir=%{buildroot} py/dist/*.whl + +install -D -m0644 %{SOURCE1} %{buildroot}%{_sysconfdir}/nftables/nftables.conf +install -D -m0644 %{SOURCE2} %{buildroot}%{_unitdir}/nftables.service + +%clean +[ "%{buildroot}" != / ] && rm -rf "%{buildroot}" + +%post -n lib%{name} -p /sbin/ldconfig +%postun -n lib%{name} -p /sbin/ldconfig + +%post +%systemd_post nftables +: + +%preun +%systemd_preun nftables +: + +%postun +%systemd_postun_with_restart nftables +: + +%files +%defattr(-,root,root) +%config(noreplace) %{_sysconfdir}/nftables/nftables.conf +%{_sysconfdir}/nftables/osf/pf.os +%{_sbindir}/nft +%{_unitdir}/nftables.service +%dir %{_docdir}/nftables +%dir %{_docdir}/nftables/examples +%{_docdir}/nftables/examples/* +%{_mandir}/man5/libnftables-json.5* +%{_mandir}/man8/nft.8* +%dir %{_datadir}/nftables +%{_datadir}/nftables/*.nft + +%files -n lib%{name} +%defattr(-,root,root) +%{_libdir}/libnftables.so.* +%doc COPYING + +%files -n lib%{name}-devel +%defattr(-,root,root) +%dir %{_includedir}/nftables +%{_includedir}/nftables/libnftables.h +%{_libdir}/libnftables.so +%{_libdir}/pkgconfig/libnftables.pc +%{_mandir}/man3/libnftables.3* + +%files -n python-nftables-py310 +%defattr(-,root,root) +%dir %{python310_sitelib}/nftables-*.dist-info +%{python310_sitelib}/nftables-*.dist-info/* +%dir %{python310_sitelib}/nftables +%{python310_sitelib}/nftables/* + +%changelog +* Sat Aug 12 2023 Silvan Calarco 1.0.8-1mamba +- package created using the webbuild interface