add nft

henglinli · May 22, 2018 · e1253db · e1253db
1 parent 701aa2a
commit e1253db
Show file tree

Hide file tree

Showing 4 changed files with 43 additions and 51,807 deletions.
diff --git a/etc/firewall/filter.nft b/etc/firewall/filter.nft
@@ -0,0 +1,25 @@
+#!/usr/sbin/nft -f
+flush ruleset
+# inet filter
+table inet filter {
+      chain output {
+      	    type filter hook output priority 0; policy accept;
+	    counter comment "count accepted packets"
+      }
+      chain forward {
+      	    type filter hook forward priority 0; policy drop;
+	    counter comment "count dropped packets"
+      }
+      chain input {
+      	    type filter hook input priority 0; policy drop;
+	    ct state invalid counter drop comment "drop invalid packets"
+	    ct state {established, related} counter accept comment "accept all connections related to connections made by self"
+	    iifname lo accept comment "accept loopback"
+	    iifname != lo ip daddr 127.0.0.1/8 counter drop comment "drop connections to loopback nto comming from loopback"
+	    iifname != lo ip6 daddr ::1/128 counter drop comment "drop connections to loopback not comming from loopback"
+	    ip protocol icmp counter accept comment "accept all icmp types"
+	    ip6 nexthdr icmpv6 counter accept comment "accept all icmpv6 types"
+	    tcp dport 22 counter accept comment "accept ssh(port 22)"
+	    counter comment "count accepted packets"
+      }
+}
diff --git a/etc/systemd/system/[email protected] b/etc/systemd/system/[email protected]
@@ -0,0 +1,13 @@
+[Unit]
+Description=nft
+Documentation=man:ntf(8)
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+ExecStart=/usr/sbin/nft -f /etc/firewall/%I.nft 
+ExecStop=/usr/sbin/nft flush ruleset
+
+[Install]
+WantedBy=multi-user.target
+DefaultInstance=filter
diff --git a/...onfig/alienware-alpha/4.16.8-sgima0f.conf → ...nfig/alienware-alpha/4.16.10-sgima0f.conf b/...onfig/alienware-alpha/4.16.8-sgima0f.conf → ...nfig/alienware-alpha/4.16.10-sgima0f.conf
@@ -1,6 +1,6 @@
 #
 # Automatically generated file; DO NOT EDIT.
-# Linux/x86 4.16.8 Kernel Configuration
+# Linux/x86 4.16.10 Kernel Configuration
 #
 CONFIG_64BIT=y
 CONFIG_X86_64=y
@@ -114,11 +114,8 @@ CONFIG_HIGH_RES_TIMERS=y
 CONFIG_TICK_CPU_ACCOUNTING=y
 # CONFIG_VIRT_CPU_ACCOUNTING_GEN is not set
 # CONFIG_IRQ_TIME_ACCOUNTING is not set
-CONFIG_BSD_PROCESS_ACCT=y
-CONFIG_BSD_PROCESS_ACCT_V3=y
-CONFIG_TASKSTATS=y
-CONFIG_TASK_DELAY_ACCT=y
-# CONFIG_TASK_XACCT is not set
+# CONFIG_BSD_PROCESS_ACCT is not set
+# CONFIG_TASKSTATS is not set
 # CONFIG_CPU_ISOLATION is not set
 
 #
@@ -2530,8 +2527,7 @@ CONFIG_FANOTIFY=y
 # CONFIG_QUOTA is not set
 # CONFIG_QUOTACTL is not set
 CONFIG_AUTOFS4_FS=y
-CONFIG_FUSE_FS=y
-CONFIG_CUSE=y
+# CONFIG_FUSE_FS is not set
 # CONFIG_OVERLAY_FS is not set
 
 #
@@ -2699,7 +2695,7 @@ CONFIG_HARDLOCKUP_CHECK_TIMESTAMP=y
 CONFIG_PANIC_ON_OOPS_VALUE=0
 CONFIG_PANIC_TIMEOUT=30
 # CONFIG_SCHED_DEBUG is not set
-CONFIG_SCHED_INFO=y
+# CONFIG_SCHED_INFO is not set
 # CONFIG_SCHEDSTATS is not set
 # CONFIG_SCHED_STACK_END_CHECK is not set
 # CONFIG_DEBUG_TIMEKEEPING is not set