diff options
| author | Máté Eckl | 2021-09-13 22:02:08 +0200 |
|---|---|---|
| committer | Máté Eckl | 2021-09-13 22:02:57 +0200 |
| commit | 621dcb6acf1bf96206a9d31269a870d98063482b (patch) | |
| tree | faf06816879896aa480e77c84d2d67aa94162458 | |
| parent | 86b15b071a311998883bcfe530464e009824ec39 (diff) | |
| download | aur-621dcb6acf1bf96206a9d31269a870d98063482b.tar.gz | |
Update version to 1:1.0.0
| -rw-r--r-- | .SRCINFO | 12 | ||||
| -rw-r--r-- | PKGBUILD | 14 | ||||
| -rw-r--r-- | nftables.conf | 49 | ||||
| -rw-r--r-- | nftables.install | 10 |
4 files changed, 43 insertions, 42 deletions
@@ -1,9 +1,10 @@ pkgbase = nftables-git pkgdesc = Netfilter tables userspace tools - pkgver = 0.9.5 + pkgver = 1.0.0 pkgrel = 1 + epoch = 1 url = https://netfilter.org/projects/nftables/ - arch = i686 + install = nftables.install arch = x86_64 license = GPL2 makedepends = asciidoc @@ -23,9 +24,8 @@ pkgbase = nftables-git source = git://git.netfilter.org/nftables source = nftables.conf source = nftables.service - sha1sums = SKIP - sha1sums = 7869aa31ac802922073310ffd4cbbc16450171e5 - sha1sums = 59185e947ebfd599954800ad2c774171b3f4cd58 + sha256sums = SKIP + sha256sums = 2aff88019097d21dbfa4713f5b54c184751c86376e458b683f8d90f3abd232a8 + sha256sums = 3c6a34a400022450df0b6e97b3f16eea5cab7741a0e5f16858b46a3e6591b5af pkgname = nftables-git - @@ -3,12 +3,14 @@ # Contributor: Steven Allen <steven@stebalien.com> pkgname=nftables-git -pkgver=0.9.5 +epoch=1 +pkgver=1.0.0 pkgrel=1 pkgdesc='Netfilter tables userspace tools' -arch=(i686 x86_64) +arch=(x86_64) url='https://netfilter.org/projects/nftables/' license=('GPL2') +optdepends=('python: Python bindings') depends=(libmnl libnftnl-git gmp readline ncurses jansson) makedepends=(asciidoc git bison flex) optdepends=('python: Python bindings') @@ -18,9 +20,10 @@ conflicts=(nftables) source=(git://git.netfilter.org/nftables nftables.conf nftables.service) -sha1sums=('SKIP' - '7869aa31ac802922073310ffd4cbbc16450171e5' - '59185e947ebfd599954800ad2c774171b3f4cd58') +install=nftables.install +sha256sums=('SKIP' + '2aff88019097d21dbfa4713f5b54c184751c86376e458b683f8d90f3abd232a8' + '3c6a34a400022450df0b6e97b3f16eea5cab7741a0e5f16858b46a3e6591b5af') pkgver() { cd nftables @@ -29,7 +32,6 @@ pkgver() { build() { cd nftables - sh autogen.sh ./configure \ --prefix=/usr \ --sbindir=/usr/bin \ diff --git a/nftables.conf b/nftables.conf index 2d306375809c..fe835b303914 100644 --- a/nftables.conf +++ b/nftables.conf @@ -1,38 +1,27 @@ #!/usr/bin/nft -f -# ipv4/ipv6 Simple & Safe Firewall -# you can find examples in /usr/share/nftables/ +# vim:set ts=2 sw=2 et: + +# IPv4/IPv6 Simple & Safe firewall ruleset. +# More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/. +table inet filter +delete table inet filter table inet filter { chain input { - type filter hook input priority 0; - - # allow established/related connections - ct state {established, related} accept - - # early drop of invalid connections - ct state invalid drop - - # allow from loopback - iifname lo accept - - # allow icmp - ip protocol icmp accept - ip6 nexthdr icmpv6 accept - - # allow ssh - tcp dport ssh accept - - # everything else - reject with icmpx type port-unreachable + type filter hook input priority filter + policy drop + + ct state invalid drop comment "early drop of invalid connections" + ct state {established, related} accept comment "allow tracked connections" + iifname lo accept comment "allow from loopback" + ip protocol icmp accept comment "allow icmp" + meta l4proto ipv6-icmp accept comment "allow icmp v6" + tcp dport ssh accept comment "allow sshd" + pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited + counter } chain forward { - type filter hook forward priority 0; - drop - } - chain output { - type filter hook output priority 0; + type filter hook forward priority filter + policy drop } - } - -# vim:set ts=2 sw=2 et: diff --git a/nftables.install b/nftables.install new file mode 100644 index 000000000000..455245dd6a71 --- /dev/null +++ b/nftables.install @@ -0,0 +1,10 @@ +## arg 1: the new package version +## arg 2: the old package version +post_upgrade() { + (( $(vercmp "$2" '1:0.9.9-1') > 0 )) || cat <<EOF +==> Stopping/restarting the nftables service does NOT flush the ruleset anymore. +==> The nftables.conf file requires a delete/flush directive to be restarted. +==> See examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples. +==> The nftables service reload has been removed as it is now equivalent to a restart. +EOF +} |