diff options
37 files changed, 1880 insertions, 0 deletions
diff --git a/debian/README.Debian b/debian/README.Debian new file mode 100644 index 0000000..7f13097 --- /dev/null +++ b/debian/README.Debian @@ -0,0 +1,42 @@ +How to start +============ + +The nftables Debian package gives you access to the 'nft' utility. +There is another component, in the kernel, which is the nf_tables subsystem. +From the nft utility you control which rules are loaded into the kernel. + +The Debian package comes with some example ruleset you may use as a starting +point. Check them at /usr/share/doc/nftables/examples/ + +Extensive online documentation is available at: + + https://wiki.nftables.org + +The default rules file in debian is /etc/nftables.conf + +Some basic commands +=================== + +Try these basic commands to know more about nftables on your machine: + +user@debian:~$ sudo nft list ruleset +user@debian:~$ sudo nft flush ruleset +user@debian:~$ sudo nft add table inet filter +user@debian:~$ sudo nft add chain inet filter input { type filter hook input priority 0 \; policy drop } +user@debian:~$ sudo nft add rule inet filter input ct state established counter accept +user@debian:~$ sudo nft list ruleset + +System service (auto-load at boot) +================================== + +This package includes a pre-configured systemd service file which you can +optionally enable to auto-load your firewall at boot time. + +user@debian:~$ sudo systemctl enable nftables.service + +Migrating from iptables +======================= + +Please read the docs at: + + https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables diff --git a/debian/changelog b/debian/changelog new file mode 100644 index 0000000..d1acb70 --- /dev/null +++ b/debian/changelog @@ -0,0 +1,647 @@ +nftables (1.0.9-1) unstable; urgency=medium + + [ Jeremy Sowden ] + * [cceedbd] d/clean: add Python egg-info directory + * [26632e8] Use the upstream man-pages + * [7ace353] d/control: remove unused bison & flex build-deps + + [ Arturo Borrero Gonzalez ] + * [83ff316] New upstream version 1.0.9 + * [0b04e55] d/patches: drop patches integrated upstream + * [f6b44a9] d/libnftables1.symbols: refresh file + + -- Arturo Borrero Gonzalez <arturo@debian.org> Thu, 19 Oct 2023 16:11:15 +0200 + +nftables (1.0.8-1) unstable; urgency=medium + + [ Arturo Borrero Gonzalez ] + * [d80034c] d/upstream/signing-key.asc: refresh key + * [1cdf229] Revert "d/watch: use `pgpmode=auto`" + * [d13e924] New upstream version 1.0.8 + * [f6e0491] d/patches: drop 0001-debian-bug-1038724.patch + * [464cb02] d/control: bump build-dep on libnftnl + * [1d65f36] d/control: add python3-setuptool build-dep + * [6b96c7c] d/patches: add 0001-py.patch + + [ Jeremy Sowden ] + * [a8248a9] d/u/signing-key.asc: minimize key + * [243be3f] d/*.lintian-overrides: override typo false positives + * [cfe1e5a] d/rules: in-line configure options + * [242e961] d/rules: explicitly build python3 module + * [fbd4ae9] d/patches: add upstream patches to add pyproject.toml support + * [0b62d3e] d/control: add build-dep on pybuild-plugins-pyproject + + -- Jeremy Sowden <jeremy@azazel.net> Thu, 03 Aug 2023 14:55:28 +0100 + +nftables (1.0.7-2) unstable; urgency=medium + + * [800ca9f] d/patches: add 0001-debian-bug-1038724.patch (Closes: #1038724) + + -- Arturo Borrero Gonzalez <arturo@debian.org> Tue, 20 Jun 2023 17:09:27 +0200 + +nftables (1.0.7-1) unstable; urgency=medium + + * [5012323] New upstream version 1.0.7 + * [5965017] d/patches: drop invalid-octal-fix.patch + + -- Arturo Borrero Gonzalez <arturo@debian.org> Tue, 14 Mar 2023 12:36:06 +0100 + +nftables (1.0.6-2) unstable; urgency=medium + + [ Jeremy Sowden ] + * [5e89bdc] d/patches: add patch to fix handling of invalid octal strings + (Closes: #932880) + * [df007f6] d/control: bump Standards-Version to 4.6.2 + + -- Arturo Borrero Gonzalez <arturo@debian.org> Sun, 29 Jan 2023 12:33:00 +0100 + +nftables (1.0.6-1) unstable; urgency=medium + + * [41c144c] d/gbp.conf: make pristine-tar config the default + * [69ab9ff] d/watch: refresh tarball extension, use tar.xz + * [d6a12b6] New upstream version 1.0.6 (Closes: #932877) + * [5bff90c] src:nftables: bump build-dep version libnftnl to 1.2.4 + * [19569e2] d/patches: drop all patches + + -- Arturo Borrero Gonzalez <arturo@debian.org> Thu, 22 Dec 2022 12:14:49 +0100 + +nftables (1.0.5-2) unstable; urgency=medium + + [ Jeremy Sowden ] + * [14670b7] d/control: bump Standards-Version to 4.6.1 + * [accc8cd] d/patches: add patch to fix listing of sets containing + unclosed prefix intervals (closes: #1018156) + * [f42c641] d/patches: add patch to fix typo's + * [46b0bd9] d/rules: `override_dh_fixperms` -> `execute_after_dh_fixperms` + * [b639b39] d/rules: fix non-reproducible dates in man-pages + + [ Helmut Grohne ] + * [9b4c211] nftables: fix FTCBFS: B-D on a native python (Closes: #1022965) + + -- Arturo Borrero Gonzalez <arturo@debian.org> Thu, 03 Nov 2022 10:34:20 +0100 + +nftables (1.0.5-1) unstable; urgency=medium + + * [882aebc] New upstream version 1.0.5 + * [d1e9d3f] src:nftables: bump build-dep on libnftnl-dev + + -- Arturo Borrero Gonzalez <arturo@debian.org> Wed, 10 Aug 2022 13:29:18 +0200 + +nftables (1.0.4-2) unstable; urgency=medium + + * [9e654e0] d/nftables.conf: use named priorities + * [0e9757f] d/u/signing-key.asc: minimize signing key + * [49d2aee] d/libnftables1.symbols: add `Build-Depends-Package` field + * [1a50850] d/control: set R³: no. + * [1699c66] d/control: add myself to uploaders. + * [cd9f31f] d/watch: use HTTPS URL + * [a6a05b6] d/watch: use `pgpmode=auto` + * [072624b] d/gbp.conf: buildpackage, import-orig: enable `pristine-tar` + * [92a12a3] d/gbp.conf: dch: set `id-length` + * [6ad5a0b] d/not-installed: remove static archive + * [c53e37d] d/rules: remove obsolete dh_installinit override + * [fb41a26] d/rules: move dh_auto_configure override + * [59c9317] d/rules: include architecture.mk + * [8f18fcd] d/rules: pass `--restart-after-upgrade` to dh_installsystemd + (closes: #1012613) + * [f9d8a42] d/copyright: remove obsolete files + * [75426a2] d/changelog: wrap long line + + -- Jeremy Sowden <jeremy@azazel.net> Sun, 19 Jun 2022 18:04:19 +0100 + +nftables (1.0.4-1) unstable; urgency=medium + + [ Christian Ehrhardt ] + * [8b15f04] Fix version map usage and add symbols file + (Closes: #1007888 LP: #1965464) + + [ Arturo Borrero Gonzalez ] + * [527715a] New upstream version 1.0.4 + * [929b673] d/patches: drop all patches + * [1a1a7e5] d/control: bump build-dep on libnftnl + + -- Arturo Borrero Gonzalez <arturo@debian.org> Wed, 08 Jun 2022 00:59:59 +0200 + +nftables (1.0.2-1) unstable; urgency=medium + + [ Arturo Borrero Gonzalez ] + * d/examples/workstation.nft: update icmpv6 example (Closes: #1000407) + + [ Sven Strickroth ] + * Add rules for ICMPv6 packets which must not be dropped + + [ Arturo Borrero Gonzalez ] + * New upstream version 1.0.2 + * d/patches: add 0001-examples-compile.patch + * libnftables-dev: include some code examples + + -- Arturo Borrero Gonzalez <arturo@debian.org> Wed, 23 Feb 2022 12:30:25 +0100 + +nftables (1.0.1-1) unstable; urgency=medium + + [ Jenkins ] + * [5be1165] Remove constraints unnecessary since buster + + [ Arturo Borrero Gonzalez ] + * [ddc89dc] nftables: recommend netbase (Closes: #995343) + * [1187467] src:nftables: bump std-version to 4.6.0 + * [ca1f8ef] d/copyright: refresh reference to libnftables.h + * [6d3871a] New upstream version 1.0.1 + * [48ae700] src:nftables: bump build-dep on libnftnl to 1.2.1 + + -- Arturo Borrero Gonzalez <arturo@debian.org> Fri, 19 Nov 2021 14:59:06 +0100 + +nftables (1.0.0-1) unstable; urgency=medium + + * [3d9fb4f] New upstream version 1.0.0 + + -- Arturo Borrero Gonzalez <arturo@debian.org> Sat, 04 Sep 2021 18:45:41 +0200 + +nftables (0.9.9-1~exp1) experimental; urgency=medium + + * [8f1a46c] src:nftables: run wrap-and-sort + * [5d16ed2] python3-nftables: add Depends on python3-jsonschema + * [b63b60f] New upstream version 0.9.9 + * [45dd54e] src:nftables: bump build-dep on libnftnl to 1.2.0 + * [ffc9a3f] examples: relocate some upstream files + + -- Arturo Borrero Gonzalez <arturo@debian.org> Wed, 26 May 2021 12:32:25 +0200 + +nftables (0.9.8-3) unstable; urgency=medium + + * [94a6c9b] src:nftables: add docbook-xsl again as build-dep. + Thanks to Michael Biebl for the suggestion (Closes: #981641) + + -- Arturo Borrero Gonzalez <arturo@debian.org> Tue, 02 Feb 2021 17:25:57 +0100 + +nftables (0.9.8-2) unstable; urgency=medium + + [ Helmut Grohne ] + * [4eb3236] src:nftables: reduce Build-Depends (Closes: #981206) + + -- Arturo Borrero Gonzalez <arturo@debian.org> Wed, 27 Jan 2021 18:04:11 +0100 + +nftables (0.9.8-1) unstable; urgency=medium + + * [ccb440d] New upstream version 0.9.8 + Closes: #944759 + Closes: #933621 + Closes: #932878 + * [fb3429c] src:nftables: bump build-dep on libnftnl to 1.1.9 + * [1539707] src:nftables: bump std-version to 4.5.1 + * [48ea92d] src:nftables: switch to libeditreadline (Closes: #979103) + + -- Arturo Borrero Gonzalez <arturo@debian.org> Sun, 17 Jan 2021 18:48:39 +0100 + +nftables (0.9.7-1) unstable; urgency=medium + + * [8813565] d/t/control: mark nft -h test as superficial (Closes: #969851) + * [2a29c4f] d/upstream/signing-key.asc: refresh + * [eaf8b7f] New upstream version 0.9.7 + * [80c259b] src:nftables: bump build-dep on libnftnl to 1.1.8 + + -- Arturo Borrero Gonzalez <arturo@debian.org> Wed, 28 Oct 2020 16:01:29 +0100 + +nftables (0.9.6-1) unstable; urgency=medium + + * [e2f26f2] New upstream version 0.9.6 (Closes: #962909) + * [a203bd9] nftables: bump libmnl build-dep version to 1.0.4 + * [e7a683f] tests: only run them with kernels >= 5.x + * [517865d] src:nftables: bump std-version to 4.5.0 + + -- Arturo Borrero Gonzalez <arturo@debian.org> Tue, 16 Jun 2020 10:46:53 +0200 + +nftables (0.9.5-1) unstable; urgency=medium + + * [15ebe06] New upstream version 0.9.5 + * [1cc07ee] build-deps: bump libnftnl requirement to 1.1.7 + * [34f7c95] src:nftables: bump debhelper compat level to 13 + + -- Arturo Borrero Gonzalez <arturo@debian.org> Mon, 08 Jun 2020 11:11:53 +0200 + +nftables (0.9.4-1) unstable; urgency=medium + + * [41441b9] New upstream version 0.9.4 + * [9de28bb] d/patches: drop 0001-upstream-py-load-soname.patch + * [7c044e8] src:nftables: bump build-dep on libnftnl to 1.1.6 + + -- Arturo Borrero Gonzalez <arturo@debian.org> Thu, 02 Apr 2020 12:30:12 +0200 + +nftables (0.9.3-2) unstable; urgency=medium + + [ Debian Janitor ] + * Use secure URI in Homepage field. + * Set debhelper-compat version in Build-Depends. + * Re-export upstream signing key without extra signatures. + * debian/copyright: use spaces rather than tabs to start continuation + lines. + * Drop unnecessary dependency on dh-autoreconf. + * Use canonical URL in Vcs-Git. + + [ Chris Lamb ] + * [24184a4] nftables: don't install example Makefile (Closes: #946332) + + [ Arturo Borrero Gonzalez ] + * [7d2cf78] d/patches: add 0001-upstream-py-load-soname.patch + (Closes: #946219) + + -- Arturo Borrero Gonzalez <arturo@debian.org> Tue, 17 Dec 2019 13:49:23 +0100 + +nftables (0.9.3-1) unstable; urgency=medium + + * This release was packaged and uploaded to Debian while on a 300km/h train. + Hope it works :-) + * [01e140c] New upstream version 0.9.3 + Closes: #944669 + Closes: #916863 + * [1674c79] src:nftables: bump build-dep version on linftnl + * [7074517] d/patches: drop patches included in latest upstream release + + -- Arturo Borrero Gonzalez <arturo@debian.org> Tue, 03 Dec 2019 14:03:14 +0100 + +nftables (0.9.2-2) unstable; urgency=medium + + [ Konstantin Demin ] + * [9c626fc] d/rules: build less verbose if requested + + [ Arturo Borrero Gonzalez ] + * [ba5d4d0] nftables: add Suggests: firewalld + * [f8bea94] nftables: add upstream patches to address firewalld testsuite + failures (Closes: #939838) + * [35f35af] src:nftables: bump std-version to 4.4.1 + + -- Arturo Borrero Gonzalez <arturo@debian.org> Wed, 09 Oct 2019 19:40:31 +0200 + +nftables (0.9.2-1) unstable; urgency=medium + + * [d29de9d] New upstream version 0.9.2 + * [27aa9aa] src:nftables: bump build-dep on libnftnl to 1.1.4 + * [2b73890] src:nftables: drop all patches, now included in upstream source + * [4ff7527] d/rules: make build more verbose by default + * [990710e] nftables: include more upstream example files + + -- Arturo Borrero Gonzalez <arturo@debian.org> Wed, 28 Aug 2019 13:22:32 +0200 + +nftables (0.9.1-3) unstable; urgency=medium + + * [609ee76] d/README.Debian: refresh file + * [3255aaa] src:nftables: run wrap-and-sort + * [5337001] nftables: raise package priority to important + * [09b720f] src:nftables: add docbook-xsl build-dep + * [9db946c] src:nftables: bump debhelper compat to 12 + * [4f0bb1d] nftables.maintscript: introduce file + * [1b54808] d/patches: add BE fixtures (Closes: #934740) + + -- Arturo Borrero Gonzalez <arturo@debian.org> Thu, 15 Aug 2019 15:01:49 +0200 + +nftables (0.9.1-2) unstable; urgency=medium + + * [9dc1bd1] d/control: bump std-version to 4.4.0 + + -- Arturo Borrero Gonzalez <arturo@debian.org> Wed, 10 Jul 2019 11:19:29 +0200 + +nftables (0.9.1-1~exp1) experimental; urgency=medium + + * [683e6f1] src:nftables: add salsa CI support + * [23e5163] d/watch: add missing line break + * [b6500d8] d/upstream/signing-key.asc: refresh key + * [b326349] New upstream version 0.9.1 + * [bf731ca] d/patches: drop reproducible.patch + * [29aa197] nftables: refresh build-dep for documentation + * [9d4cbf9] nftables: bump libnftnl build-dep version requirement + * [6d3bbe5] d/patches: add build_docs.patch + * [d041ac8] nftables-dbg: drop debug symbol migration relationship depends + * [b1c680a] libnftables: bump SONAME from 0 to 1 + * [8f39f4d] libnftables1: include additional manpages + * [40f70bf] d/copyright: refresh file + * [edb2911] python3-nftables: introduce new binary package + + -- Arturo Borrero Gonzalez <arturo@debian.org> Wed, 26 Jun 2019 13:43:47 +0200 + +nftables (0.9.0-2) unstable; urgency=medium + + * [0509603] d/t/control: mark internaltest-shell.sh as flaky (Closes: #903083) + * [79434be] d/t: run monitor testsuite + * [9b254aa] nftables: enable JSON support + + -- Arturo Borrero Gonzalez <arturo@debian.org> Mon, 03 Dec 2018 14:11:14 +0100 + +nftables (0.9.0-1) unstable; urgency=medium + + * [d1ad0df] d/t/internaltest-shell.sh: use installed nft binary + * [b857e27] d/control: add multiarch support for both libnftables0 and + libnftables-dev + * [94ba918] New upstream version 0.9.0 + * [b76ced6] d/control: bump build-dep on libnftnl + * [f4bbe12] d/control: bump std-versions to 4.1.4 + + -- Arturo Borrero Gonzalez <arturo@debian.org> Sat, 09 Jun 2018 14:47:07 +0200 + +nftables (0.8.5-1) unstable; urgency=medium + + * [c135598] d/t/control: disable internaltest-py.sh + * [c64af79] d/control: bump libnftnl buld-dep version to 1.1.0 + (Closes: #898538) + * [6c014f1] New upstream version 0.8.5 + * [bc3bf1c] d/patches/: drop rename_libnftables_h.patch + + -- Arturo Borrero Gonzalez <arturo@debian.org> Tue, 15 May 2018 10:54:19 +0200 + +nftables (0.8.4-1) unstable; urgency=medium + + * [7c20e29] New upstream version 0.8.4 + * [4d1ae20] libnftables: introduce binary packages + * [fe2897f] d/copyright: refresh with libnftables + + -- Arturo Borrero Gonzalez <arturo@debian.org> Thu, 03 May 2018 19:46:30 +0200 + +nftables (0.8.3-1) unstable; urgency=medium + + * [2cc4fde] New upstream version 0.8.3 + * [b2ad2f6] nftables: refresh example files + * [680e9d0] d/rules: use dh_installsystemd + + -- Arturo Borrero Gonzalez <arturo@debian.org> Sun, 04 Mar 2018 22:01:25 +0100 + +nftables (0.8.2-1) unstable; urgency=medium + + [ Helmut Grohne ] + * [159958f] d/rules: use dh_auto_configure (Closes: #888715) + + [ Arturo Borrero Gonzalez ] + * [66b45dd] New upstream version 0.8.2 + + -- Arturo Borrero Gonzalez <arturo@debian.org> Fri, 02 Feb 2018 19:57:44 +0100 + +nftables (0.8.1-1) unstable; urgency=medium + + * [46be8e1] d/control: update git URLs + * [77d8cc2] New upstream version 0.8.1 + * [57c711b] d/control: bump build-dep on libnftnl + * [517ecd2] d/control: bump std-version to 4.1.3 + * [bc590c4] d/compat: bump dh compat to 11 + * [68fbe65] d/copyright: use HTTPS in the URL + + -- Arturo Borrero Gonzalez <arturo@debian.org> Wed, 17 Jan 2018 14:55:14 +0100 + +nftables (0.8-2) unstable; urgency=medium + + * [95b5638] d/t/internaltest-py.sh: enable test, dummy module not required + * [a5f037d] d/control: bump build-dep version on libxtables to 1.6.1. + Thanks to James Clarke for the report. + + -- Arturo Borrero Gonzalez <arturo@debian.org> Mon, 27 Nov 2017 13:07:24 +0100 + +nftables (0.8-1) unstable; urgency=medium + + [ Alexander Greiner-Bär ] + * [4157de9] nftables.service: use correct order in systemd unit file + (Closes: #873856) + + [ Arturo Borrero Gonzalez ] + * [311b618] New upstream version 0.8 + * [b38f21a] d/control: bump libnftnl dependency to 1.0.8 + * [19f5962] d/control: bump std-version to 4.1.1 + * [7d95221] d/watch: ignore nftables upstream version 0.100 and 0.099 + * [da499c0] d/control: update package description + * [734076e] nftables: update package documentation + * [8883735] d/copyright: refresh file + * [c5af3f3] d/control: drop old depends of dh- packages + + -- Arturo Borrero Gonzalez <arturo@debian.org> Wed, 18 Oct 2017 01:00:05 +0200 + +nftables (0.7-2) unstable; urgency=medium + + [ Arturo Borrero Gonzalez ] + * [058867f] d/control: move package to pkg-netfilter + + [ Martin Dickopp ] + * [bf9bd6e] nftables.service: load firewall earlier in the boot process + (Closes: #866902) + + [ Arturo Borrero Gonzalez ] + * [772f6ea] d/control: bump std-version to 4.0.0 + + -- Arturo Borrero Gonzalez <arturo@debian.org> Mon, 03 Jul 2017 09:23:22 +0200 + +nftables (0.7-1) unstable; urgency=medium + + * [c7b6524] New upstream version 0.7 + * [b061528] nftables: switch to debhelper compat 10 + * [33238bc] nftables-dbg: switch to -dbgsym package + * [4d838e4] d/control: bump dependency on libnftnl + * [0fac534] d/control: refresh kernel version reference in nftables + description + * [625229a] d/rules: enable hardening + + -- Arturo Borrero Gonzalez <arturo@debian.org> Thu, 22 Dec 2016 11:21:01 +0100 + +nftables (0.6+snapshot20161117-2) unstable; urgency=medium + + * [078c41a] d/tests/: disable internaltest-py.sh + * [0560a63] nftables-dbg: use Multi-Arch: same + * [f2ace74] nftables: don't use libxtables11 + + -- Arturo Borrero Gonzalez <arturo@debian.org> Wed, 23 Nov 2016 12:43:46 +0100 + +nftables (0.6+snapshot20161117-1) unstable; urgency=medium + + * [2540606] New upstream version 0.6+snapshot20161117 + * [8879bd0] d/control: bump build-dep on libnftnl 1.0.6+snapshot20161117 + * [f90e51c] nftables: enable libxtables integration + + -- Arturo Borrero Gonzalez <arturo@debian.org> Thu, 17 Nov 2016 11:30:33 +0100 + +nftables (0.6-3) unstable; urgency=medium + + * [c4cacdd] d/: update email address to 'arturo@debian.org' + + -- Arturo Borrero Gonzalez <arturo@debian.org> Mon, 10 Oct 2016 11:10:16 +0200 + +nftables (0.6-2) unstable; urgency=medium + + * [2ff280b] d/tests/systemd-service-test.sh: dont use echo in the + initial warning + * [89a01ba] d/tests/internaltests-shell.sh: dont' run testsuite if + kernel is < 4.x + * [59e6ac2] d/nftables.{postinst,postrm,preinst}: gracefully delete + /etc/init.d/nftables (Closes: #833078) + + -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Mon, 01 Aug 2016 12:26:56 +0200 + +nftables (0.6-1) unstable; urgency=medium + + * [5564626] Imported Upstream version 0.6 + * [65ce938] d/control: bump dependency version on libnftnl + * [2127d04] d/control: adjust dependecy on libmnl 1.0.3 + * [d18e174] d/control: point to linux 4.7 in package descriptions + + -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Fri, 03 Jun 2016 10:31:34 +0200 + +nftables (0.5+snapshot20160509-1) unstable; urgency=medium + + * [5a7c867] d/tests/internaltests-py.sh: run testsuite with installed + binary + * [b2282c4] d/tests/systemd-service-test.sh: don't run tests if old + kernel is present + * [b389985] Imported Upstream version 0.5+snapshot20160509 + + -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Mon, 09 May 2016 13:58:32 +0200 + +nftables (0.5+snapshot20160426-1) unstable; urgency=medium + + * [955e138] d/tests/systemd-service-test.sh: adapt script to + ci.debian.net + * [ad1699a] Imported Upstream version 0.5+snapshot20160426 + + -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Tue, 26 Apr 2016 11:01:18 +0200 + +nftables (0.5+snapshot20160419-3) unstable; urgency=medium + + * [f1d8880] d/control: bump standars-version to 3.9.8 + * [65bae17] d/tests: add systemd-service-test.sh + * [e2e4cd7] d/tests: include script extension in file names + * [fd16851] d/: gracefully delete old config files from /etc/nftables + (Closes: #822239) + * [af57b91] d/rules: prevent dh_installinit to act on + /etc/init.d/nftables + + -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Mon, 25 Apr 2016 11:37:00 +0200 + +nftables (0.5+snapshot20160419-2) unstable; urgency=medium + + * [cf22dca] d/tests/control: internaltests-shell requires kmod + * [dd847bb] d/README.Debian: fix several typos + + -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Wed, 20 Apr 2016 17:25:50 +0200 + +nftables (0.5+snapshot20160419-1) unstable; urgency=medium + + * [88b9c37] d/rules: don't add /etc/nftables/ dir to 'nftables' binary package + * [e0472f0] sysvinit: the init script is now just an example + * [f89907b] examples: restore upstream examples + * [8228918] d/nftables.examples: cleanup leftover line regarding upstream + examples + * [0655029] nftables.conf: provide a skeleton firewall and use the old one as + example (Closes: #804648) + * [dc504e4] examples/syntax/README: point to the nftables wiki + * [ecd9257] examples/syntax/nat: add new example file + * [406baf9] examples/syntax/: add a new example file: overview + * [3fa3d3e] d/control: bump standards to 3.9.7 + * [79a8520] Imported Upstream version 0.5+snapshot20160419 + * [775f2af] d/control: get rid of XS-Testsuite + * [9ac90db] d/control: change Vcs-git from git:// to https:// + * [b4b8ee7] d/control: bump dependency with libnftnl + * [9e6b0eb] d/tests: run internal nftables tests (shell) + * [f8e3da1] d/tests: run internal nftables tests (py) + + -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Wed, 20 Apr 2016 12:00:22 +0200 + +nftables (0.5+snapshot20151106-1) unstable; urgency=medium + + * [bd1e71f] Imported Upstream version 0.5+snapshot20151106 + * [b7e3c39] d/control: bump build-dep on libnftnl + + -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Fri, 06 Nov 2015 13:32:49 +0100 + +nftables (0.5-2) unstable; urgency=medium + + * [92938c3] d/rules: get rid of useless commented line + * [a04a737] d/: add nftables-dbg binary package + + -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Tue, 13 Oct 2015 14:03:25 +0200 + +nftables (0.5-1) unstable; urgency=medium + + * [007a8d0] Imported Upstream version 0.5 + * [9a90c87] d/control: nftables 0.5 requires libnftnl >= 1.0.5 + * [17fdcc1] d/control: update nftables description: linux 4.2 recommended + * [a473529] d/copyright: update file to include latest changes in v0.5 + * [4a9deac] d/copyright: drop copyright for debian/* + + -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Fri, 18 Sep 2015 11:44:21 +0200 + +nftables (0.4-7) unstable; urgency=medium + + [ Vincent Blut ] + * [0fc181f] d/copyright: fix missing doc/nft.xml license (Closes: #795096) + + [ Arturo Borrero Gonzalez ] + * [ae662e4] d/rules: drop get-orig-source code + + -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Mon, 17 Aug 2015 11:20:15 +0200 + +nftables (0.4-6) unstable; urgency=medium + + * [4f9fbf0] d/tests/control: add restriction to run test as root + * [be594d3] nftables.conf: improve icmpv6 support + + -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Fri, 15 May 2015 12:53:09 +0200 + +nftables (0.4-5) unstable; urgency=medium + + * [231244a] sysvinit: don't start the service by default + + -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Wed, 06 May 2015 11:56:10 +0200 + +nftables (0.4-4) unstable; urgency=medium + + * [c8b825e] /etc/init.d/nftables: fix inverted logic in status op. + Thanks to Manolo Diaz for the fast report (Closes: #783608) + * [2105ccb] source: make the build reproducible + + -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Tue, 05 May 2015 12:15:33 +0200 + +nftables (0.4-3) unstable; urgency=medium + + * [d42d50f] d/nftables.init: doesn't require networking to stop + * [ceee9cb] d/nftables.service: the service is of Type=oneshot + * [8415993] d/nftables.init: fix bashism in status operation. + Thanks to Manolo Diaz for the bug report (Closes: #775875) + * [a0e197a] d/tests: add basic autopkgtest support + + -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Fri, 20 Mar 2015 21:27:46 +0100 + +nftables (0.4-2) unstable; urgency=medium + + * Both a /etc/init.d/nftables and a nftables.service files are distributed + for admins to easily make nftables theirs system firewalls. + * [2237bad] d/nftables.examples: only ship upstream examples, not in + /etc/nftables + + -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Fri, 09 Jan 2015 14:59:47 +0100 + +nftables (0.4-1) unstable; urgency=medium + + * [b187410] d/control: bump standars to 3.9.6 + * [2021272] Imported Upstream version 0.4 (Closes: #773401) + * [8b73e74] d/patches/: drop all v0.3 patches + * [bff758e] d/control: depends on libnftnl >= 1.0.3 + * [0e2023b] d/copyright: put more general statement first + * [b382dff] d/rules: fix perms of files under /etc/nftables + * [96252e6] d/rules: disable silent rules + + -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Mon, 22 Dec 2014 10:33:33 +0100 + +nftables (0.3-1) unstable; urgency=medium + + * [3a4f54a] d/patches: patch to harden the build + * [b6c82d5] Imported Upstream version 0.3 + * [98e5eb7] d/control: depends on libnftnl >= 1.0.2 + + -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Wed, 25 Jun 2014 19:02:59 +0200 + +nftables (0.2-2) unstable; urgency=low + + * [6aa52bf] d/README.Debian: fix Patrick McHardy name + * [ca0e8ba] d/nftables.links: fix broken links file + * [7492a48] d/rules: delete override for dh_auto_test + * [1aca9dd] d/patches: improve verbose_build.patch + + -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Tue, 27 May 2014 11:14:48 +0200 + +nftables (0.2-1) unstable; urgency=low + + * Initial release (Closes: #522176) + + -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Fri, 09 May 2014 19:22:44 +0100 diff --git a/debian/clean b/debian/clean new file mode 100644 index 0000000..e8a6465 --- /dev/null +++ b/debian/clean @@ -0,0 +1 @@ +py/nftables.egg-info/ diff --git a/debian/control b/debian/control new file mode 100644 index 0000000..716fd8d --- /dev/null +++ b/debian/control @@ -0,0 +1,106 @@ +Source: nftables +Section: net +Priority: important +Maintainer: Debian Netfilter Packaging Team <pkg-netfilter-team@lists.alioth.debian.org> +Uploaders: Arturo Borrero Gonzalez <arturo@debian.org>, + Jeremy Sowden <jeremy@azazel.net> +Build-Depends: automake, + debhelper-compat (= 13), + dh-python, + libeditreadline-dev, + libgmp-dev, + libjansson-dev, + libmnl-dev, + libnftnl-dev (>= 1.2.6), + libtool, + libxtables-dev, + pybuild-plugin-pyproject, + python3-all:any, + python3-setuptools +Rules-Requires-Root: no +Standards-Version: 4.6.2 +Homepage: https://www.netfilter.org/ +Vcs-Git: https://salsa.debian.org/pkg-netfilter-team/pkg-nftables.git +Vcs-Browser: https://salsa.debian.org/pkg-netfilter-team/pkg-nftables + +Package: nftables +Architecture: linux-any +Depends: libnftables1 (=${binary:Version}), ${misc:Depends}, ${shlibs:Depends} +Recommends: netbase +Suggests: firewalld +Description: Program to control packet filtering rules by Netfilter project + This software provides an in-kernel packet classification framework that is + based on a network-specific Virtual Machine (VM) and the nft userspace + command line tool. The nftables framework reuses the existing Netfilter + subsystems such as the existing hook infrastructure, the connection tracking + system, NAT, userspace queueing and logging subsystem. + . + nftables replaces the old popular iptables, ip6tables, arptables and ebtables. + . + Netfilter software and nftables in particular are used in applications such + as Internet connection sharing, firewalls, IP accounting, transparent + proxying, advanced routing and traffic control. + . + A Linux kernel >= 3.13 is required. However, >= 4.14 is recommended. + +Package: libnftables-dev +Section: libdevel +Priority: optional +Architecture: linux-any +Multi-Arch: same +Depends: libnftables1 (=${binary:Version}), ${misc:Depends} +Description: Development files for libnftables + This library provides high level semantics to interact with the nftables + framework by Netfilter project. + . + nftables replaces the old popular iptables, ip6tables, arptables and ebtables. + . + Netfilter software and nftables in particular are used in applications such + as Internet connection sharing, firewalls, IP accounting, transparent + proxying, advanced routing and traffic control. + . + A Linux kernel >= 3.13 is required. However, >= 4.14 is recommended. + . + This package provides development files and static libraries. + +Package: libnftables1 +Section: libs +Priority: optional +Architecture: linux-any +Multi-Arch: same +Depends: ${misc:Depends}, ${shlibs:Depends} +Description: Netfilter nftables high level userspace API library + This library provides high level semantics to interact with the nftables + framework by Netfilter project. + . + nftables replaces the old popular iptables, ip6tables, arptables and ebtables. + . + Netfilter software and nftables in particular are used in applications such + as Internet connection sharing, firewalls, IP accounting, transparent + proxying, advanced routing and traffic control. + . + A Linux kernel >= 3.13 is required. However, >= 4.14 is recommended. + . + This package contains the libnftables library. + +Package: python3-nftables +Priority: optional +Section: python +Architecture: linux-any +Depends: libnftables1 (=${binary:Version}), + python3-jsonschema, + ${misc:Depends}, + ${python3:Depends} +Description: nftables/libnftables python3 module + The libnftables library provides high level semantics to interact with the + nftables framework by the Netfilter project. + . + nftables replaces the old popular iptables, ip6tables, arptables and ebtables. + . + Netfilter software and nftables in particular are used in applications such + as Internet connection sharing, firewalls, IP accounting, transparent + proxying, advanced routing and traffic control. + . + A Linux kernel >= 3.13 is required. However, >= 4.14 is recommended. + . + This package contains the libnftables python3 bindings. diff --git a/debian/copyright b/debian/copyright new file mode 100644 index 0000000..c6b8917 --- /dev/null +++ b/debian/copyright @@ -0,0 +1,493 @@ +Format: https://www.debian.org/doc/packaging-manuals/copyright-format/1.0/ +Upstream-Name: nftables +Source: http://git.netfilter.org/nftables + +Files: * +Copyright: 2008 Patrick McHardy <kaber@trash.net> +License: GPL-2 + +Files: tests/py/nft-test.py +Copyright: 2014 Ana Rey Botello <anarey@gmail.com> +License: GPL-2+ + +Files: src/nfnl_osf.c +Copyright: 2005 Evgeniy Polyakov <johnpol@2ka.mxt.ru> +License: GPL-2+ + +Files: py/nftables.py +Copyright: 2018 Phil Sutter <phil@nwl.cc> +License: GPL-2 + +Files: src/libnftables.c include/nftables/libnftables.h +Copyright: 2017 Eric Leblond <eric@regit.org> +License: GPL-2 + +Files: src/netlink.c +Copyright: 2008-2012 Patrick McHardy <kaber@trash.net> + 2013 Pablo Neira Ayuso <pablo@netfilter.org> +License: GPL-2 + +Files: src/netlink_delinearize.c src/netlink_linearize.c +Copyright: 2008 Patrick McHardy <kaber@trash.net> + 2013 Pablo Neira Ayuso <pablo@netfilter.org> +License: GPL-2 + +Files: src/mnl.c +Copyright: 2013 Pablo Neira Ayuso <pablo@netfilter.org> +License: GPL-2 + +Files: src/iface.c +Copyright: 2015 Pablo Neira Ayuso <pablo@netfilter.org> +License: GPL-2 + +Files: src/hash.c +Copyright: 2016 Pablo Neira Ayuso <pablo@netfilter.org> +License: GPL-2 + +Files: src/mini-gmp.c include/mini-gmp.h +Copyright: 1991-1997, 1999-2014, Free Software Foundation, Inc +License: GPL-2+ + +Files: src/xt.c +Copyright: 2013-2015 Pablo Neira Ayuso <pablo@netfilter.org> + 2015 Arturo Borrero Gonzalez <arturo@debian.org> +License: GPL-2 + +Files: src/mergesort.c +Copyright: 2017 Elise Lennion <elise.lennion@gmail.com> +License: GPL-2 + +Files: src/rt.c +Copyright: 2016 Anders K. Pedersen <akp@cohaesio.com> +License: GPL-2 + +Files: src/fib.c +Copyright: Red Hat GmbH +License: GPL-2 + +Files: include/linux/netfilter_arp.h +Copyright: 2002 Rusty Russell - IBM +License: GPL-2 + +Files: include/linux/netfilter_decnet.h +Copyright: 1999 Steve Whitehouse + 1998 Rusty Russell +License: GPL-2 + +Files: include/linux/netfilter_ipv6.h +Copyright: 1998 Rusty Russell + 1999 David Jeffery +License: GPL-2 + +Files: include/linux/netfilter_ipv4.h +Copyright: 1998 Rusty Russell +License: GPL-2 + +Files: files/osf/pf.os +Copyright: 2000-2003 by Michal Zalewski <lcamtuf@coredump.cx> + 2003 by Mike Frantzen <frantzen@w4g.org> +License: GPL-2 + +Files: doc/nft.txt +Copyright: 2008-2014 Patrick McHardy <kaber@trash.net> +License: CC-BY-SA-4.0 + +License: GPL-2 + This program is free software; you can redistribute it and/or modify + it under the terms of the GNU Library General Public License as published by + the Free Software Foundation. + . + This program is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU Library General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/> + . + On Debian systems, the complete text of the GNU General + Public License version 2 can be found in "/usr/share/common-licenses/GPL-2". + +License: GPL-2+ + This package is free software; you can redistribute it and/or modify + it under the terms of the GNU General Public License as published by + the Free Software Foundation; either version 2 of the License, or + (at your option) any later version. + . + This package is distributed in the hope that it will be useful, + but WITHOUT ANY WARRANTY; without even the implied warranty of + MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the + GNU General Public License for more details. + . + You should have received a copy of the GNU General Public License + along with this program. If not, see <http://www.gnu.org/licenses/> + . + On Debian systems, the complete text of the GNU General + Public License version 2 can be found in "/usr/share/common-licenses/GPL-2". + +License: CC-BY-SA-4.0 + Creative Commons Attribution-ShareAlike 4.0 International + . + Creative Commons Corporation (“Creative Commons”) is not a law firm and does + not provide legal services or legal advice. Distribution of Creative Commons + public licenses does not create a lawyer-client or other relationship. + Creative Commons makes its licenses and related information available on an + “as-is” basis. Creative Commons gives no warranties regarding its licenses, + any material licensed under their terms and conditions, or any related + information. Creative Commons disclaims all liability for damages resulting + from their use to the fullest extent possible. Using Creative Commons Public + Licenses Creative Commons public licenses provide a standard set of terms and + conditions that creators and other rights holders may use to share original + works of authorship and other material subject to copyright and certain other + rights specified in the public license below. The following considerations + are for informational purposes only, are not exhaustive, and do not form part + of our licenses. Considerations for licensors: Our public licenses are + intended for use by those authorized to give the public permission to use + material in ways otherwise restricted by copyright and certain other rights. + Our licenses are irrevocable. Licensors should read and understand the terms + and conditions of the license they choose before applying it. Licensors + should also secure all rights necessary before applying our licenses so that + the public can reuse the material as expected. Licensors should clearly mark + any material not subject to the license. This includes other CC-licensed + material, or material used under an exception or limitation to copyright. + More considerations for licensors. Considerations for the public: By using + one of our public licenses, a licensor grants the public permission to use + the licensed material under specified terms and conditions. If the licensor’s + permission is not necessary for any reason–for example, because of any + applicable exception or limitation to copyright–then that use is not + regulated by the license. Our licenses grant only permissions under copyright + and certain other rights that a licensor has authority to grant. Use of + the licensed material may still be restricted for other reasons, including + because others have copyright or other rights in the material. A licensor + may make special requests, such as asking that all changes be marked or + described. Although not required by our licenses, you are encouraged to + respect those requests where reasonable. More considerations for the public. + . + Creative Commons Attribution-ShareAlike 4.0 International Public License + . + By exercising the Licensed Rights (defined below), You accept and agree + to be bound by the terms and conditions of this Creative Commons + Attribution-ShareAlike 4.0 International Public License ("Public License"). + To the extent this Public License may be interpreted as a contract, You are + granted the Licensed Rights in consideration of Your acceptance of these + terms and conditions, and the Licensor grants You such rights in consideration + of benefits the Licensor receives from making the Licensed Material available + under these terms and conditions. + . + Section 1 – Definitions. + . + a. Adapted Material means material subject to Copyright and Similar Rights + that is derived from or based upon the Licensed Material and in which the + Licensed Material is translated, altered, arranged, transformed, or + otherwise modified in a manner requiring permission under the Copyright + and Similar Rights held by the Licensor. For purposes of this Public + License, where the Licensed Material is a musical work, performance, or + sound recording, Adapted Material is always produced where the Licensed + Material is synched in timed relation with a moving image. + . + b. Adapter's License means the license You apply to Your Copyright and + Similar Rights in Your contributions to Adapted Material in accordance + with the terms and conditions of this Public License. + . + c. BY-SA Compatible License means a license listed at + creativecommons.org/compatiblelicenses, approved by Creative Commons + as essentially the equivalent of this Public License. + . + d. Copyright and Similar Rights means copyright and/or similar rights closely + related to copyright including, without limitation, performance, + broadcast, sound recording, and Sui Generis Database Rights, without + regard to how the rights are labeled or categorized. For purposes of this + Public License, the rights specified in Section 2(b)(1)-(2) are not + Copyright and Similar Rights. + . + e. Effective Technological Measures means those measures that, in the absence + of proper authority, may not be circumvented under laws fulfilling + obligations under Article 11 of the WIPO Copyright Treaty adopted on + December 20, 1996, and/or similar international agreements. + . + f. Exceptions and Limitations means fair use, fair dealing, and/or any other + exception or limitation to Copyright and Similar Rights that applies to + Your use of the Licensed Material. + . + g. License Elements means the license attributes listed in the name of a + Creative Commons Public License. The License Elements of this Public + License are Attribution and ShareAlike. + . + h. Licensed Material means the artistic or literary work, database, or other + material to which the Licensor applied this Public License. + . + i. Licensed Rights means the rights granted to You subject to the terms and + conditions of this Public License, which are limited to all Copyright and + Similar Rights that apply to Your use of the Licensed Material and that + the Licensor has authority to license. + . + j. Licensor means the individual(s) or entity(ies) granting rights under this + Public License. + . + k. Share means to provide material to the public by any means or process that + requires permission under the Licensed Rights, such as reproduction, + public display, public performance, distribution, dissemination, + communication, or importation, and to make material available to the + public including in ways that members of the public may access the + material from a place and at a time individually chosen by them. + . + l. Sui Generis Database Rights means rights other than copyright resulting + from Directive 96/9/EC of the European Parliament and of the Council of + 11 March 1996 on the legal protection of databases, as amended and/or + succeeded, as well as other essentially equivalent rights anywhere in the + world. + . + m. You means the individual or entity exercising the Licensed Rights under + this Public License. Your has a corresponding meaning. + . + Section 2 – Scope. + . + a. License grant. + . + 1. Subject to the terms and conditions of this Public License, the + Licensor hereby grants You a worldwide, royalty-free, + non-sublicensable, non-exclusive, irrevocable license to exercise + the Licensed Rights in the Licensed Material to: + . + A. reproduce and Share the Licensed Material, in whole or in part; and + B. produce, reproduce, and Share Adapted Material. + . + 2. Exceptions and Limitations. For the avoidance of doubt, where + Exceptions and Limitations apply to Your use, this Public License + does not apply, and You do not need to comply with its terms and + conditions. + . + 3. Term. The term of this Public License is specified in Section 6(a). + . + 4. Media and formats; technical modifications allowed. The Licensor + authorizes You to exercise the Licensed Rights in all media and + formats whether now known or hereafter created, and to make + technical modifications necessary to do so. The Licensor waives + and/or agrees not to assert any right or authority to forbid You + from making technical modifications necessary to exercise the + Licensed Rights, including technical modifications necessary to + circumvent Effective Technological Measures. For purposes of this + Public License, simply making modifications authorized by this + Section 2(a)(4) never produces Adapted Material. + . + 5. Downstream recipients. + . + A. Offer from the Licensor – Licensed Material. Every recipient of + the Licensed Material automatically receives an offer from the + Licensor to exercise the Licensed Rights under the terms and + conditions of this Public License. + . + B. Additional offer from the Licensor – Adapted Material. Every + recipient of Adapted Material from You automatically receives an + offer from the Licensor to exercise the Licensed Rights in the + Adapted Material under the conditions of the Adapter’s License + You apply. + . + C. No downstream restrictions. You may not offer or impose any + additional or different terms or conditions on, or apply any + Effective Technological Measures to, the Licensed Material if + doing so restricts exercise of the Licensed Rights by any + recipient of the Licensed Material. + . + 6. No endorsement. Nothing in this Public License constitutes or may be + construed as permission to assert or imply that You are, or that Your + use of the Licensed Material is, connected with, or sponsored, + endorsed, or granted official status by, the Licensor or others + designated to receive attribution as provided in Section 3(a)(1)(A)(i). + . + b. Other rights. + . + 1. Moral rights, such as the right of integrity, are not licensed under + this Public License, nor are publicity, privacy, and/or other similar + personality rights; however, to the extent possible, the Licensor + waives and/or agrees not to assert any such rights held by the + Licensor to the limited extent necessary to allow You to exercise the + Licensed Rights, but not otherwise. + . + 2. Patent and trademark rights are not licensed under this Public License. + . + 3. To the extent possible, the Licensor waives any right to collect + royalties from You for the exercise of the Licensed Rights, whether + directly or through a collecting society under any voluntary or + waivable statutory or compulsory licensing scheme. In all other + cases the Licensor expressly reserves any right to collect such + royalties. + . + Section 3 – License Conditions. + . + Your exercise of the Licensed Rights is expressly made subject to the + following conditions. + . + a. Attribution. + . + 1. If You Share the Licensed Material (including in modified form), + You must: + . + A. retain the following if it is supplied by the Licensor with + the Licensed Material: + . + i. identification of the creator(s) of the Licensed Material + and any others designated to receive attribution, in any + reasonable manner requested by the Licensor (including by + pseudonym if designated); + . + ii. a copyright notice; + . + iii. a notice that refers to this Public License; + . + iv. a notice that refers to the disclaimer of warranties; + . + v. a URI or hyperlink to the Licensed Material to the extent + reasonably practicable; + . + B. indicate if You modified the Licensed Material and retain an + indication of any previous modifications; and + . + C. indicate the Licensed Material is licensed under this Public + License, and include the text of, or the URI or hyperlink to, + this Public License. + . + 2. You may satisfy the conditions in Section 3(a)(1) in any reasonable + manner based on the medium, means, and context in which You Share + the Licensed Material. For example, it may be reasonable to satisfy + the conditions by providing a URI or hyperlink to a resource that + includes the required information. + . + 3. If requested by the Licensor, You must remove any of the information + required by Section 3(a)(1)(A) to the extent reasonably practicable. + . + b. ShareAlike.In addition to the conditions in Section 3(a), if You Share + Adapted Material You produce, the following conditions also apply. + . + 1. The Adapter’s License You apply must be a Creative Commons license + with the same License Elements, this version or later, or a BY-SA + Compatible License. + . + 2. You must include the text of, or the URI or hyperlink to, the + Adapter's License You apply. You may satisfy this condition in + any reasonable manner based on the medium, means, and context in + which You Share Adapted Material. + . + 3. You may not offer or impose any additional or different terms or + conditions on, or apply any Effective Technological Measures to, + Adapted Material that restrict exercise of the rights granted under + the Adapter's License You apply. + . + Section 4 – Sui Generis Database Rights. + . + Where the Licensed Rights include Sui Generis Database Rights that apply to + Your use of the Licensed Material: + . + a. for the avoidance of doubt, Section 2(a)(1) grants You the right to + extract, reuse, reproduce, and Share all or a substantial portion of + the contents of the database; + . + b. if You include all or a substantial portion of the database contents + in a database in which You have Sui Generis Database Rights, then the + database in which You have Sui Generis Database Rights (but not its + individual contents) is Adapted Material, including for purposes of + Section 3(b); and + . + c. You must comply with the conditions in Section 3(a) if You Share all + or a substantial portion of the contents of the database. + For the avoidance of doubt, this Section 4 supplements and does not + replace Your obligations under this Public License where the Licensed + Rights include other Copyright and Similar Rights. + . + Section 5 – Disclaimer of Warranties and Limitation of Liability. + . + a. Unless otherwise separately undertaken by the Licensor, to the extent + possible, the Licensor offers the Licensed Material as-is and + as-available, and makes no representations or warranties of any kind + concerning the Licensed Material, whether express, implied, statutory, + or other. This includes, without limitation, warranties of title, + merchantability, fitness for a particular purpose, non-infringement, + absence of latent or other defects, accuracy, or the presence or + absence of errors, whether or not known or discoverable. Where + disclaimers of warranties are not allowed in full or in part, this + disclaimer may not apply to You. + . + b. To the extent possible, in no event will the Licensor be liable to + You on any legal theory (including, without limitation, negligence) + or otherwise for any direct, special, indirect, incidental, + consequential, punitive, exemplary, or other losses, costs, expenses, + or damages arising out of this Public License or use of the Licensed + Material, even if the Licensor has been advised of the possibility of + such losses, costs, expenses, or damages. Where a limitation of + liability is not allowed in full or in part, this limitation may not + apply to You. + . + c. The disclaimer of warranties and limitation of liability provided above + shall be interpreted in a manner that, to the extent possible, most + closely approximates an absolute disclaimer and waiver of all liability. + . + Section 6 – Term and Termination. + . + a. This Public License applies for the term of the Copyright and Similar + Rights licensed here. However, if You fail to comply with this Public + License, then Your rights under this Public License terminate + automatically. + . + b. Where Your right to use the Licensed Material has terminated under + Section 6(a), it reinstates: + . + 1. automatically as of the date the violation is cured, provided it + is cured within 30 days of Your discovery of the violation; or + . + 2. upon express reinstatement by the Licensor. + . + c. For the avoidance of doubt, this Section 6(b) does not affect any right + the Licensor may have to seek remedies for Your violations of this Public + License. + . + d. For the avoidance of doubt, the Licensor may also offer the Licensed + Material under separate terms or conditions or stop distributing the + Licensed Material at any time; however, doing so will not terminate + this Public License. + . + e. Sections 1, 5, 6, 7, and 8 survive termination of this Public License. + . + Section 7 – Other Terms and Conditions. + . + a. The Licensor shall not be bound by any additional or different terms + or conditions communicated by You unless expressly agreed. + . + b. Any arrangements, understandings, or agreements regarding the Licensed + Material not stated herein are separate from and independent of the + terms and conditions of this Public License. + . + Section 8 – Interpretation. + . + a. For the avoidance of doubt, this Public License does not, and shall + not be interpreted to, reduce, limit, restrict, or impose conditions + on any use of the Licensed Material that could lawfully be made without + permission under this Public License. + . + b. To the extent possible, if any provision of this Public License is + deemed unenforceable, it shall be automatically reformed to the minimum + extent necessary to make it enforceable. If the provision cannot be + reformed, it shall be severed from this Public License without affecting + the enforceability of the remaining terms and conditions. + . + c. No term or condition of this Public License will be waived and no + failure to comply consented to unless expressly agreed to by the + Licensor. + . + d. Nothing in this Public License constitutes or may be interpreted as a + limitation upon, or waiver of, any privileges and immunities that apply + to the Licensor or You, including from the legal processes of any + jurisdiction or authority. + . + Creative Commons is not a party to its public licenses. Notwithstanding, + Creative Commons may elect to apply one of its public licenses to material + it publishes and in those instances will be considered the “Licensor.” + Except for the limited purpose of indicating that material is shared under + a Creative Commons public license or as otherwise permitted by the Creative + Commons policies published at creativecommons.org/policies, Creative Commons + does not authorize the use of the trademark “Creative Commons” or any other + trademark or logo of Creative Commons without its prior written consent + including, without limitation, in connection with any unauthorized + modifications to any of its public licenses or any other arrangements, + understandings, or agreements concerning use of licensed material. For the + avoidance of doubt, this paragraph does not form part of the public licenses. + Creative Commons may be contacted at creativecommons.org. diff --git a/debian/examples/README b/debian/examples/README new file mode 100644 index 0000000..3c0ff46 --- /dev/null +++ b/debian/examples/README @@ -0,0 +1,13 @@ +These are some examples of the nftables syntax. + +You may find example configurations for different families and operations (nat, +filter, mangle). + +Also, you may find concrete configurations models, for example a simple +ruleset for a workstation. + +For up-to-date information about syntax and usage, head to the official +wiki at: http://wiki.nftables.org +--- + The nftables package Debian maintainer, + Arturo Borrero Gonzalez - 13/Nov/2015 diff --git a/debian/examples/nat.nft b/debian/examples/nat.nft new file mode 100755 index 0000000..ec17b02 --- /dev/null +++ b/debian/examples/nat.nft @@ -0,0 +1,30 @@ +#!/usr/sbin/nft -f + +table ip nat { + chain prerouting { + type nat hook prerouting priority 0; + + #Thanks to nftables maps, if you have a previous iptables NAT (destination NAT) ruleset like this: + # % iptables -t nat -A PREROUTING -p tcp --dport 1000 -j DNAT --to-destination 1.1.1.1:1234 + # % iptables -t nat -A PREROUTING -p udp --dport 2000 -j DNAT --to-destination 2.2.2.2:2345 + # % iptables -t nat -A PREROUTING -p tcp --dport 3000 -j DNAT --to-destination 3.3.3.3:3456 + + # It can be easily translated to nftables in a single line: + + dnat tcp dport map { 1000 : 1.1.1.1, 2000 : 2.2.2.2, 3000 : 3.3.3.3} \ + : tcp dport map { 1000 : 1234, 2000 : 2345, 3000 : 3456 } + } + + chain postrouting { + type nat hook postrouting priority 0; + + #Likewise, in iptables NAT (source NAT): + # % iptables -t nat -A POSTROUTING -s 192.168.1.1 -j SNAT --to-source 1.1.1.1 + # % iptables -t nat -A POSTROUTING -s 192.168.2.2 -j SNAT --to-source 2.2.2.2 + # % iptables -t nat -A POSTROUTING -s 192.168.3.3 -j SNAT --to-source 3.3.3.3 + + # Translated to a nftables one-liner: + + snat ip saddr map { 192.168.1.1 : 1.1.1.1, 192.168.2.2 : 2.2.2.2, 192.168.3.3 : 3.3.3.3 } + } +} diff --git a/debian/examples/overview.nft b/debian/examples/overview.nft new file mode 100755 index 0000000..98079db --- /dev/null +++ b/debian/examples/overview.nft @@ -0,0 +1,56 @@ +#!/usr/sbin/nft -f + +table inet overview_test_table { + chain overview_test_chain { + # + # simple selectors + # + + # source & destination address + ip saddr 1.1.1.1 ip daddr 2.2.2.2 + + # tcp or udp ports + tcp dport 123 + udp sport 123 + + # using sets + ip saddr {1.1.1.1, 2.2.2.2} ip daddr {3.3.3.3, 4.4.4.4} tcp dport {22, 80, 443} + + # packets meta information: nic names + iifname eth0 oifname eth1 + + # packets meta information: nic index + iif bond0 oif bond1 + + # conntrack engine states + ct state new,established + ct state invalid + ct state established,related + + # + # simple verdicts (iptables targets) + # + + # counter and drop all traffic + counter drop + + # accept all traffic + accept + + # + # rejecting traffic (more info at http://wiki.nftables.org/) + # + + # counter and reject all traffic + counter reject + + # reject with a concrete ICMP code + reject with icmp type host-unreachable + + # reject with a concrete ICMPv6 code + reject with icmpv6 type no-route + + # multi-family reject, using the icmpx keyword + reject with icmpx type admin-prohibited + } +} diff --git a/debian/examples/sysvinit/README b/debian/examples/sysvinit/README new file mode 100644 index 0000000..b1002f6 --- /dev/null +++ b/debian/examples/sysvinit/README @@ -0,0 +1,14 @@ +The file /usr/share/doc/nftables/examples/sysvinit/nftables.init is a typical +sysvinit script for you to use as /etc/init.d/nftables. + +Given Debian default init system is systemd, I have no intention to support +sysvinit apart of providing this example file. + +Read the script carefully before using it, as is just an example. +You will likely require to manually edit and install the script in order to +properly use it. + +I will probably drop all sysvinit-related stuff like this in the future. +--- + The nftables package Debian maintainer, + Arturo Borrero Gonzalez - 12/Nov/2015 diff --git a/debian/examples/sysvinit/nftables.init b/debian/examples/sysvinit/nftables.init new file mode 100644 index 0000000..777d393 --- /dev/null +++ b/debian/examples/sysvinit/nftables.init @@ -0,0 +1,122 @@ +#!/bin/sh +### BEGIN INIT INFO +# Provides: nftables +# Required-Start: $local_fs $network $remote_fs $syslog +# Required-Stop: $local_fs $remote_fs $syslog +# Default-Start: +# Default-Stop: 0 1 2 3 4 5 6 +# Short-Description: nftables firewall service +# Description: nftables firewall system service +### END INIT INFO + +# Author: Arturo Borrero Gonzalez <arturo@debian.org> + +# Do NOT "set -e" + +CONF=/etc/nftables.conf + +# PATH should only include /usr/* if it runs after the mountnfs.sh script +PATH=/sbin:/usr/sbin:/bin:/usr/bin +DESC="firewall service" +NAME=nftables +BIN=/usr/sbin/nft +SCRIPTNAME=/etc/init.d/$NAME + +# Exit if the package is not installed +[ -x "$BIN" ] || exit 0 + +# Load the VERBOSE setting and other rcS variables +. /lib/init/vars.sh + +# Define LSB log_* functions. +# Depend on lsb-base (>= 3.2-14) to ensure that this file is present +# and status_of_proc is working. +. /lib/lsb/init-functions + +do_start() +{ + # Return + # 0 if start OK + # 2 if start NOK + + # nft v0.4 return 0 if ENOENT $CONF + if [ ! -r "$CONF" ] ; then + echo "E: No such $NAME $DESC config file $CONF" >&2 + return 2 + fi + + $BIN -f $CONF || return 2 +} + +do_stop() +{ + # Return + # 0 if stopped + # 1 if already stopped + # 2 if could not be stopped + if ! do_status ; then + $BIN flush ruleset || return 2 + fi +} + +do_status() +{ + # Return + # 0 if no rules + # 1 if rules + if [ "$($BIN list ruleset 2>/dev/null | wc -l)" = "0" ] ; then + return 0 + fi + + return 1 +} + +case "$1" in + start) + [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME" + do_start + ret="$?" + case "$ret" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + exit $ret + ;; + restart|force-reload) + [ "$VERBOSE" != no ] && log_daemon_msg "Restarting $DESC" "$NAME" + do_start + ret="$?" + case "$ret" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + exit $ret + ;; + stop) + [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME" + do_stop + ret="$?" + case "$ret" in + 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;; + 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;; + esac + exit $ret + ;; + status) + if ! do_status ; then + [ "$VERBOSE" != no ] && log_daemon_msg "Status of ${DESC}: rules loaded" "$NAME" + [ "$VERBOSE" != no ] && log_end_msg 0 + exit 0 + else + [ "$VERBOSE" != no ] && log_daemon_msg "Status of ${DESC}: no rules loaded" "$NAME" + [ "$VERBOSE" != no ] && log_end_msg 1 + exit 1 + fi + ;; + *) + echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2 + exit 3 + ;; +esac + +: diff --git a/debian/examples/workstation.nft b/debian/examples/workstation.nft new file mode 100755 index 0000000..bc7cd02 --- /dev/null +++ b/debian/examples/workstation.nft @@ -0,0 +1,25 @@ +#!/usr/sbin/nft -f + +flush ruleset + +table inet filter { + chain input { + type filter hook input priority 0; + + # accept any localhost traffic + iif lo accept + + # accept traffic originated from us + ct state established,related accept + + # activate the following line to accept common local services + #tcp dport { 22, 80, 443 } ct state new accept + + # ICMPv6 packets which must not be dropped, see https://tools.ietf.org/html/rfc4890#section-4.4.1 + meta nfproto ipv6 icmpv6 type { destination-unreachable, packet-too-big, time-exceeded, parameter-problem, echo-reply, echo-request, nd-router-solicit, nd-router-advert, nd-neighbor-solicit, nd-neighbor-advert, 148, 149 } accept + ip6 saddr fe80::/10 icmpv6 type { 130, 131, 132, 143, 151, 152, 153 } accept + + # count and drop any other traffic + counter drop + } +} diff --git a/debian/gbp.conf b/debian/gbp.conf new file mode 100644 index 0000000..b55e04d --- /dev/null +++ b/debian/gbp.conf @@ -0,0 +1,5 @@ +[DEFAULT] + pristine-tar = true + +[dch] + id-length = 7 diff --git a/debian/gitlab-ci.yml b/debian/gitlab-ci.yml new file mode 100644 index 0000000..5c575a1 --- /dev/null +++ b/debian/gitlab-ci.yml @@ -0,0 +1,6 @@ +include: + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/salsa-ci.yml + - https://salsa.debian.org/salsa-ci-team/pipeline/raw/master/pipeline-jobs.yml + +variables: + RELEASE: 'unstable' diff --git a/debian/libnftables-dev.examples b/debian/libnftables-dev.examples new file mode 100644 index 0000000..43ec862 --- /dev/null +++ b/debian/libnftables-dev.examples @@ -0,0 +1 @@ +examples/*.c diff --git a/debian/libnftables-dev.install b/debian/libnftables-dev.install new file mode 100644 index 0000000..a62775f --- /dev/null +++ b/debian/libnftables-dev.install @@ -0,0 +1,3 @@ +/usr/lib/*/libnftables.so +usr/include/nftables/* +usr/lib/*/pkgconfig/* diff --git a/debian/libnftables1.install b/debian/libnftables1.install new file mode 100644 index 0000000..b84967f --- /dev/null +++ b/debian/libnftables1.install @@ -0,0 +1 @@ +usr/lib/*/*so.* diff --git a/debian/libnftables1.lintian-overrides b/debian/libnftables1.lintian-overrides new file mode 100644 index 0000000..ebfacfc --- /dev/null +++ b/debian/libnftables1.lintian-overrides @@ -0,0 +1 @@ +spelling-error-in-binary iif if [usr/lib/*/libnftables.so.*] diff --git a/debian/libnftables1.manpages b/debian/libnftables1.manpages new file mode 100644 index 0000000..8f9f199 --- /dev/null +++ b/debian/libnftables1.manpages @@ -0,0 +1,2 @@ +usr/share/man/man3/libnftables.3 +usr/share/man/man5/libnftables-json.5 diff --git a/debian/libnftables1.symbols b/debian/libnftables1.symbols new file mode 100644 index 0000000..b6743e1 --- /dev/null +++ b/debian/libnftables1.symbols @@ -0,0 +1,32 @@ +libnftables.so.1 libnftables1 #MINVER# +* Build-Depends-Package: libnftables-dev + LIBNFTABLES_1@LIBNFTABLES_1 1.0.2 + LIBNFTABLES_2@LIBNFTABLES_2 1.0.2 + LIBNFTABLES_3@LIBNFTABLES_3 1.0.2 + LIBNFTABLES_4@LIBNFTABLES_4 1.0.9 + nft_ctx_add_include_path@LIBNFTABLES_1 1.0.2 + nft_ctx_add_var@LIBNFTABLES_2 1.0.2 + nft_ctx_buffer_error@LIBNFTABLES_1 1.0.2 + nft_ctx_buffer_output@LIBNFTABLES_1 1.0.2 + nft_ctx_clear_include_paths@LIBNFTABLES_1 1.0.2 + nft_ctx_clear_vars@LIBNFTABLES_2 1.0.2 + nft_ctx_free@LIBNFTABLES_1 1.0.2 + nft_ctx_get_dry_run@LIBNFTABLES_1 1.0.2 + nft_ctx_get_error_buffer@LIBNFTABLES_1 1.0.2 + nft_ctx_get_optimize@LIBNFTABLES_3 1.0.2 + nft_ctx_get_output_buffer@LIBNFTABLES_1 1.0.2 + nft_ctx_input_get_flags@LIBNFTABLES_4 1.0.9 + nft_ctx_input_set_flags@LIBNFTABLES_4 1.0.9 + nft_ctx_new@LIBNFTABLES_1 1.0.2 + nft_ctx_output_get_debug@LIBNFTABLES_1 1.0.2 + nft_ctx_output_get_flags@LIBNFTABLES_1 1.0.2 + nft_ctx_output_set_debug@LIBNFTABLES_1 1.0.2 + nft_ctx_output_set_flags@LIBNFTABLES_1 1.0.2 + nft_ctx_set_dry_run@LIBNFTABLES_1 1.0.2 + nft_ctx_set_error@LIBNFTABLES_1 1.0.2 + nft_ctx_set_optimize@LIBNFTABLES_3 1.0.2 + nft_ctx_set_output@LIBNFTABLES_1 1.0.2 + nft_ctx_unbuffer_error@LIBNFTABLES_1 1.0.2 + nft_ctx_unbuffer_output@LIBNFTABLES_1 1.0.2 + nft_run_cmd_from_buffer@LIBNFTABLES_1 1.0.2 + nft_run_cmd_from_filename@LIBNFTABLES_1 1.0.2 diff --git a/debian/nftables.conf b/debian/nftables.conf new file mode 100644 index 0000000..fb6f06d --- /dev/null +++ b/debian/nftables.conf @@ -0,0 +1,15 @@ +#!/usr/sbin/nft -f + +flush ruleset + +table inet filter { + chain input { + type filter hook input priority filter; + } + chain forward { + type filter hook forward priority filter; + } + chain output { + type filter hook output priority filter; + } +} diff --git a/debian/nftables.examples b/debian/nftables.examples new file mode 100644 index 0000000..e199ca5 --- /dev/null +++ b/debian/nftables.examples @@ -0,0 +1,4 @@ +debian/examples/* +etc/nftables/osf/pf.os +usr/share/doc/nftables/examples/* +usr/share/nftables/*nft diff --git a/debian/nftables.install b/debian/nftables.install new file mode 100644 index 0000000..1c912c4 --- /dev/null +++ b/debian/nftables.install @@ -0,0 +1,2 @@ +debian/nftables.conf etc +usr/sbin/* diff --git a/debian/nftables.links b/debian/nftables.links new file mode 100644 index 0000000..c092691 --- /dev/null +++ b/debian/nftables.links @@ -0,0 +1 @@ +usr/share/man/man8/nft.8.gz usr/share/man/man8/nftables.8.gz diff --git a/debian/nftables.lintian-overrides b/debian/nftables.lintian-overrides new file mode 100644 index 0000000..16bdc2a --- /dev/null +++ b/debian/nftables.lintian-overrides @@ -0,0 +1 @@ +typo-in-manual-page iif if [usr/share/man/man8/nft.8.gz:*] diff --git a/debian/nftables.manpages b/debian/nftables.manpages new file mode 100644 index 0000000..6fc511d --- /dev/null +++ b/debian/nftables.manpages @@ -0,0 +1 @@ +usr/share/man/man8/nft.8 diff --git a/debian/nftables.service b/debian/nftables.service new file mode 100644 index 0000000..769c9fc --- /dev/null +++ b/debian/nftables.service @@ -0,0 +1,20 @@ +[Unit] +Description=nftables +Documentation=man:nft(8) http://wiki.nftables.org +Wants=network-pre.target +Before=network-pre.target shutdown.target +Conflicts=shutdown.target +DefaultDependencies=no + +[Service] +Type=oneshot +RemainAfterExit=yes +StandardInput=null +ProtectSystem=full +ProtectHome=true +ExecStart=/usr/sbin/nft -f /etc/nftables.conf +ExecReload=/usr/sbin/nft -f /etc/nftables.conf +ExecStop=/usr/sbin/nft flush ruleset + +[Install] +WantedBy=sysinit.target diff --git a/debian/not-installed b/debian/not-installed new file mode 100644 index 0000000..e925cee --- /dev/null +++ b/debian/not-installed @@ -0,0 +1 @@ +usr/lib/${DEB_TARGET_MULTIARCH}/libnftables.la diff --git a/debian/rules b/debian/rules new file mode 100755 index 0000000..e004562 --- /dev/null +++ b/debian/rules @@ -0,0 +1,46 @@ +#!/usr/bin/make -f + +ifeq (,$(filter terse,$(DEB_BUILD_OPTIONS))) +export DH_VERBOSE=1 +endif +export PYBUILD_NAME = nftables +export DEB_BUILD_MAINT_OPTIONS = hardening=+all + +include /usr/share/dpkg/architecture.mk +include /usr/share/dpkg/pkg-info.mk + +pybuild_pkg := python3-$(PYBUILD_NAME) +pybuild_opts := --buildsystem=pybuild -- --dir $(CURDIR)/py + +%: + dh $@ --with python3 + +override_dh_auto_clean: + dh_auto_clean -N$(pybuild_pkg) + dh_auto_clean -p$(pybuild_pkg) $(pybuild_opts) + +override_dh_auto_configure: + dh_auto_configure -N$(pybuild_pkg) -- \ + --with-xtables \ + --with-json \ + --with-python-bin=/usr/bin/python3 \ + --with-cli=editline \ + -- + dh_auto_configure -p$(pybuild_pkg) $(pybuild_opts) + +override_dh_auto_build: + dh_auto_build -N$(pybuild_pkg) + dh_auto_build -p$(pybuild_pkg) $(pybuild_opts) + +override_dh_auto_install: + dh_auto_install -N$(pybuild_pkg) + dh_auto_install -p$(pybuild_pkg) $(pybuild_opts) + +execute_after_dh_fixperms: + chmod a+x debian/nftables/etc/nftables.conf + +override_dh_installsystemd: + dh_installsystemd --no-enable --no-start --restart-after-upgrade + +override_dh_installexamples: + dh_installexamples -XMakefile diff --git a/debian/source/format b/debian/source/format new file mode 100644 index 0000000..163aaf8 --- /dev/null +++ b/debian/source/format @@ -0,0 +1 @@ +3.0 (quilt) diff --git a/debian/source/options b/debian/source/options new file mode 100644 index 0000000..9060822 --- /dev/null +++ b/debian/source/options @@ -0,0 +1,2 @@ +# Don't store changes on autogenerated files +extend-diff-ignore = "(^|/)(compile|config\.sub|config\.guess|Makefile|configure|Makefile\.in|aclocal.m4|config.h.in|depcomp|INSTALL|install-sh|ltmain.sh|missing||libtool.m4|lt~obsolete.m4|ltoptions.m4|ltsugar.m4|ltversion.m4|.Po)" diff --git a/debian/tests/control b/debian/tests/control new file mode 100644 index 0000000..9b40f99 --- /dev/null +++ b/debian/tests/control @@ -0,0 +1,20 @@ +Test-Command: nft -h +Depends: @ +Restrictions: needs-root, superficial + +Tests: internaltest-shell.sh +Depends: kmod, @ +Restrictions: needs-root, allow-stderr, isolation-container, flaky + +Tests: internaltest-monitor.sh +Depends: @ +Restrictions: needs-root, allow-stderr, isolation-container, flaky + +# Disable test until we decide what to do with the nftables python module +#Tests: internaltest-py.sh +#Depends: @, python +#Restrictions: needs-root, allow-stderr, isolation-container, build-needed + +Tests: systemd-service-test.sh +Depends: systemd, @ +Restrictions: needs-root, allow-stderr, isolation-container diff --git a/debian/tests/internaltest-monitor.sh b/debian/tests/internaltest-monitor.sh new file mode 100644 index 0000000..446f2f2 --- /dev/null +++ b/debian/tests/internaltest-monitor.sh @@ -0,0 +1,14 @@ +#!/bin/sh + +# Run the internal tests of nftables (monitor) + +# The testsuite requires kernel at least 5.x +if [ "$(uname -r | cut -d. -f1)" -lt 5 ] ; then + echo "W: this testsuite is likely to produce many fails because of old kernel, ending now" + exit 0 +fi + +set -e +ln -s $(which nft) src/nft +cd tests/monitor +./run-tests.sh -d diff --git a/debian/tests/internaltest-py.sh b/debian/tests/internaltest-py.sh new file mode 100644 index 0000000..f8e7627 --- /dev/null +++ b/debian/tests/internaltest-py.sh @@ -0,0 +1,12 @@ +#!/bin/sh + +# Run the internal tests of nftables (py) + +# The testsuite requires kernel at least 4.x +if [ "$(uname -r | cut -d. -f1)" -lt 4 ] ; then + echo "W: This testsuite is likely to produce many fails because of old kernel" +fi + +set -e +cd tests/py +NFT=$(which nft) ./nft-test.py diff --git a/debian/tests/internaltest-shell.sh b/debian/tests/internaltest-shell.sh new file mode 100644 index 0000000..a3fdcbc --- /dev/null +++ b/debian/tests/internaltest-shell.sh @@ -0,0 +1,13 @@ +#!/bin/sh + +# Run the internal tests of nftables (shell) + +# The testsuite requires kernel at least 5.x +if [ "$(uname -r | cut -d. -f1)" -lt 5 ] ; then + echo "W: this testsuite is likely to produce many fails because of old kernel, ending now" + exit 0 +fi + +set -e +cd tests/shell +NFT=$(which nft) ./run-tests.sh -v diff --git a/debian/tests/systemd-service-test.sh b/debian/tests/systemd-service-test.sh new file mode 100644 index 0000000..83461bc --- /dev/null +++ b/debian/tests/systemd-service-test.sh @@ -0,0 +1,72 @@ +#!/bin/sh + +set -ex + +SERVICE=nftables.service + +# The testsuite requires kernel at least 5.x +if [ "$(uname -r | cut -d. -f1)" -lt 5 ] ; then + : WARNING this testsuite is likely to produce many fails because of old kernel, ending now + exit 0 +fi + +systemctl_call() +{ + if systemctl $1 $SERVICE ; then + return 0 + else + journalctl -u $SERVICE + return 1 + fi +} + +# package ships service disabled by default +if ! systemctl_call enable ; then + : WARNING enabling the service failed +fi + +if systemctl -q is-active $SERVICE ; then + : WARNING initial service running, stopping now + if ! systemctl_call stop ; then + : ERROR unable to stop the initial service + exit 1 + fi +fi + +if [ $(nft list ruleset | wc -l) -ne 0 ] ; then + : WARNING initial ruleset is not empty, flushing now + nft flush ruleset +fi + +if ! systemctl_call start ; then + : ERROR failed to start systemd service + exit 1 +fi +if [ $(nft list ruleset | wc -l) -eq 0 ] ; then + : ERROR no ruleset loaded after systemd service start + exit 1 +fi + +systemctl_call status +nft list ruleset + +if ! systemctl_call stop ; then + : ERROR failed to stop systemd service + exit 1 +fi +if [ $(nft list ruleset | wc -l) -ne 0 ] ; then + : ERROR ruleset still loaded after systemd service stop + exit 1 +fi + +if ! systemctl_call restart ; then + : ERROR failed to restart systemd service + exit 1 +fi +if [ $(nft list ruleset | wc -l) -eq 0 ] ; then + : ERROR no ruleset loaded after systemd service restart + exit 1 +fi + +: INFO test was OK +exit 0 diff --git a/debian/upstream/signing-key.asc b/debian/upstream/signing-key.asc new file mode 100644 index 0000000..db4707d --- /dev/null +++ b/debian/upstream/signing-key.asc @@ -0,0 +1,52 @@ +-----BEGIN PGP PUBLIC KEY BLOCK----- + +mQINBF+HdQgBEACzteJUJGtj3N6u5mcGh4Nu/9GQfwrrphZuI7jto2N6+ZoURded +660mFLnax7wgIE8ugAa085jwFWbFY3FzGutUs/kDmnqy9WneYNBLIAF3ZTFfY+oi +V1C09bBlHKDj9gSEM2TZ/qU14exKdSloqcMKSdIqLQX27w/D6WmO1crDjOKKN9F2 +zjc3uLjo1gIPrY+Kdld29aI0W4gYvNLOo+ewhVC5Q6ymWOdR3eKaP2HIAt8CYf0t +Sx8ChHdBvXQITDmXoGPLTTiCHBoUzaJ/N8m4AZTuSUTr9g3jUNFmL48OrJjFPhHh +KDY0V59id5nPu4RX3fa/XW+4FNlrthA5V9dQSIPh7r7uHynDtkcCHT5m4mn0NqG3 +dsUqeYQlrWKCVDTfX/WQB3Rq1tgmOssFG9kZkXcVTmis3KFP1ZAahBRB33OJgSfi +WKc/mWLMEQcljbysbJzq74Vrjg44DNK7vhAXGoR35kjj5saduxTywdb3iZhGXEsg +9zqV0uOIfMQsQJQCZTlkqvZibdB3xlRyiCwqlf1eHB2Vo7efWbRIizX2da4c5xUj ++IL1eSPmTV+52x1dYXpn/cSVKJAROtcSmwvMRyjuGOcTNtir0XHCxC5YYBow6tKR +U1hrFiulCMH80HeS+u/g4SpT4lcv+x0DlN5BfWQuN5k5ZzwKb6EQs092qQARAQAB +tCxOZXRmaWx0ZXIgQ29yZSBUZWFtIDxjb3JldGVhbUBuZXRmaWx0ZXIub3JnPokC +VAQTAQoAPhYhBDfZZKzASYHHVQD7m9Vdl4qKFCDkBQJfh3UIAhsDBQkHhM4ABQsJ +CAcCBhUKCQgLAgQWAgMBAh4BAheAAAoJENVdl4qKFCDk0msQAJTIK8TLHw2IJDc6 ++ZfUJc+znSNwskO+A4lwvb1vRY5qFV+CA2S1eUS4HGDWDT0sPKie6Nx4+FBczkWd +RA+eaKDqQeS5Vzc2f0bl74un91h7yE8O2NsVnpL166MnAAk3/ACjHsZX2PzF12F6 +4stvGQFpjZRWItj0I6bvPY6CTtqVPB98a6RpdbS9kGxCCMrL3CFGDXGSjXes5KwN +IvngmVB36wjb3QgEtQIv13jrWFfiXeuieqMRyC6Z3KNYVcvis34eGxPFD9MHrK+w +bdw3KzMBJd7hMoVRl32Q13T/PX8H3pqWMqKaL41wHUswRt0IQjNZnRvRnlJ0VDFf +Wep/3dFK+uQbdABuiwCiRli5mWeOMCP+qJodP1OZSGqg0VwZWUGdCGG5+qIhngOj +QVomvJ7N4eRLU3xuPVjLoBeHzvViUPpYtWQ/YiZK5rWTJHhu88xZaysFJRaV+Uz3 +wPkeqdArRRXl1Tpy+cKy7D5BZAr7OjT1wboon23IM2DJRurbaHD8blMsjZ07pbvb +4hdpiE6mqq7CYskDz2UGTaFfEW4bFnKtvKTXEnmcqc4mWcr2z9BBYouGmcFczgET +tE02XejmExXV2RPUtXfLuNIbVpuXG1qhzNuXAfm+S/68XDSFrwyK8/Dgq5ga0iIP +n8Uvz12Xu/Qde+NicogLNWF90QJ2uQINBF+HdQgBEADSTGQKWM3ni63O0bOnxgyu +Gd3oxEk/mqu7zkU/WBKaUQRtUKFAwbjaHQBcSFjOkqcLze1/QGXiDC9hDow2mxeU +OkTR28Dg8iw2HMJqrVodDTaSvOX18A4HCzkFvnT4prJN54tXK14YY2YLOrMm/cjP +6Q4tE3+8MzWbdNKe9+s5aUDzDkXzvphYGnNBVbfxkLE3SMEwc2d+n3Fd1vIjx99+ +EqrGraete0fs/qtmpR/Fcp89doh4tqCRbZk8YYIQkTj3C1s91zCr/QOwX7mXhNJP +qSu8ZwSq6WcylJNY9rs0ys1dgarqORzQ7MvT4EJ9egZV1a8XR30Jwc9sOu2hzCpz +w/7/ivNaMbZ7pKcAQE/FqL5MstVUy4UB+RdMuW6UK1R/y8KtP6uNtYXw94jx7W9r +QtYXk/c3v7KpGKZXLRW/NX8d6PMXAab7iGkwd1EabX/CTb4eSoxE2RTELwHXavKG +KL6Crvmf+fObgqsDtBaIacPakcJoau1Abxg1QFYKOpCozFtmfVNzp34IKwwsrQiG +YfHizWoH0S9nLoqvEsfnBhrdc6Aj4YwzdTGjbfyh5vBsa/pT/kcR9xLd6RF+ppoU +gmlOMK9FuQX96YxLYjsJ6mo4rAUAh4ePTholfFYPbkDeRqS6T6W75xkuL6vI3Y+q +d4LIktheyTMuzsrARDQZFwARAQABiQI8BBgBCgAmFiEEN9lkrMBJgcdVAPub1V2X +iooUIOQFAl+HdQgCGwwFCQeEzgAACgkQ1V2XiooUIOTTCBAAgXcF8AzEQfK0Hqja +4W4e6Y2xxxZmoPGz75Jgqv4GBsfTEBChVBbRBjUgYepuaV6/YSfRw9ldeqvREW7g +XAOsKLM+Hn0BQW22oHu2UhAgjfsTC4q0BkVW06M7tnkvBV3nR9F/X9CViwxlsEYP +qQKkjrbhYx4WDI1acGx/7O9QYR/OMeUYFns4dgVi2z91LmOybVjQLwGnqOdybNnc +84Iw6KT4rOKmUay0fXExo6mumU3Pz5S32grJuqxgZTcf2xSY8++fsp+7zEGuO3zg +beKn64h1+xv04N7PMbEEixJtyARGIdu4aHPWQ+ORF4JvWYhgNtbfb9YwNu8k1WlK +z2wuNIg7/wjHEOzdmNbCUb5q3ftqSsbTTbrbo48IAYLqOWyitud0eR8tGvjcyti0 +nPxpkfBCSRMFte6+q6Gne0rOmCJgmRMXmPggFtBRM8EKZqnznZbrLyMpOMeK9diR +/EPDVhzM1N2Jv8qnaKZ/0gsAn1ybC+P3hywmlrsolo5YzWuzMDwyE8dmT0ROUBKg +qouIGg1l8lR7fJXhhNRt86FzSaIFoQ7MIddOVJ5WRBHzr2x22sYFj4y1f8ZLh4VZ +Wqncl20xMa4CulNsHrzUtN3QbkOm4zSGzCLfbpW4gVfDCVkdD2bZzSfefH9UFwuB +k/i9xRtYOSbc/q5W7u9J4dpEia4= +=m35R +-----END PGP PUBLIC KEY BLOCK----- diff --git a/debian/watch b/debian/watch new file mode 100644 index 0000000..973c3df --- /dev/null +++ b/debian/watch @@ -0,0 +1,3 @@ +version=4 +opts=pgpsigurlmangle=s/$/.sig/ \ +https://www.netfilter.org/pub/nftables/nftables-((?!0.100|0.099)\S+).tar.xz |