summaryrefslogtreecommitdiffstats
diff options
context:
space:
mode:
authorDaniel Baumann <daniel.baumann@progress-linux.org>2017-08-16 19:37:20 +0000
committerDaniel Baumann <daniel.baumann@progress-linux.org>2017-08-16 19:37:20 +0000
commit8fd28ad1851f055a18f4fcf638c6fffb54774ef6 (patch)
tree104dab8d804406ba4d7399c8d14ac1001e9a2295
parentAdding upstream version 0.7. (diff)
downloadnftables-8fd28ad1851f055a18f4fcf638c6fffb54774ef6.zip
nftables-8fd28ad1851f055a18f4fcf638c6fffb54774ef6.tar.xz
Adding debian version 0.7-2.debian/0.7-2
Signed-off-by: Daniel Baumann <daniel.baumann@progress-linux.org>
-rw-r--r--debian/README.Debian188
-rw-r--r--debian/changelog235
-rw-r--r--debian/compat1
-rw-r--r--debian/control39
-rw-r--r--debian/copyright456
-rw-r--r--debian/examples/syntax/README13
-rw-r--r--debian/examples/syntax/nat30
-rw-r--r--debian/examples/syntax/overview56
-rw-r--r--debian/examples/syntax/workstation24
-rw-r--r--debian/examples/sysvinit/README14
-rw-r--r--debian/examples/sysvinit/nftables.init122
-rw-r--r--debian/nftables.conf15
-rw-r--r--debian/nftables.examples1
-rw-r--r--debian/nftables.install1
-rw-r--r--debian/nftables.links1
-rw-r--r--debian/nftables.postinst41
-rw-r--r--debian/nftables.postrm41
-rw-r--r--debian/nftables.preinst41
-rw-r--r--debian/nftables.service17
-rw-r--r--debian/patches/reproducible.patch30
-rw-r--r--debian/patches/series1
-rwxr-xr-xdebian/rules45
-rw-r--r--debian/source/format1
-rw-r--r--debian/source/options2
-rw-r--r--debian/tests/control15
-rw-r--r--debian/tests/internaltest-py.sh15
-rw-r--r--debian/tests/internaltest-shell.sh13
-rw-r--r--debian/tests/systemd-service-test.sh72
-rw-r--r--debian/upstream/signing-key.asc56
-rw-r--r--debian/watch2
30 files changed, 1588 insertions, 0 deletions
diff --git a/debian/README.Debian b/debian/README.Debian
new file mode 100644
index 0000000..e40abd0
--- /dev/null
+++ b/debian/README.Debian
@@ -0,0 +1,188 @@
+The following message was published the 20th Jan 2014 in the Netfilter
+devel mailing list <netfilter-devel@vger.kernel.org> when the nftables
+release happened, authored by Patrick McHardy <kaber@trash.net>.
+
+Please, read it carefully as it contains valuable information about the new
+nftables framework.
+ -- 28/jan/2014
+ Arturo Borrero Gonzalez <arturo@debian.org>
+===============================================================================
+
+The Netfilter project presents:
+
+ nftables 0.099
+
+With the release of Linux 3.13 and almost 5 years after the last nftables
+release, the time has come to finally get this code out to our users.
+
+Since this is the first regular release intended for users, I'm including
+a bit of extra information.
+
+Overview
+========
+
+nf_tables is the new firewalling infrastructure in the Linux kernel,
+intended to replace ip_tables, ip6_tables, arp_tables and ebtables
+in the long term. nftables is the corresponding userspace frontend,
+replacing their respective userspace utilities.
+
+nftables features native support for sets and dictionaries of arbitrary
+types, support for many different protocols, meta data types, connection
+tracking, NAT, logging, atomic incremental and full ruleset updates,
+a netlink API with notification support, a format grammar, a compatibility
+layer for iptables/ip6tables and more.
+
+While the internal architecture is fundamentally different from
+ip_tables etc, many of the well proven concepts like tables and chains
+have been retained. The syntax differs significantly from iptables
+and friends, most notable, the options style parsing has been replaced
+by a formal grammar and a set of keywords. For anyone familiar with
+BPF the syntax should be quite easy to learn.
+
+Architecture
+============
+
+As mentioned previously, the architecture differs significantly from
+the existing packet filtering mechanisms. While ip_tables etc. include
+special modules for each and every protocol they support, for each meta
+data type etc and each each of these modules implement a set of usually
+similar operations on this data, nftables contains a small evaluation
+engine (sometimes called a virtual machine) with extensions to support
+getting packet payload data, meta data, ... and performing operations
+with this data, altering flow control and so on.
+
+The userspace frontend performs parsing of the ruleset and compiles it
+into instructions for the virtual machine. F.i. while an iptables tcp
+dport match would instruct the xt_tcpudp module to compare the TCP port
+number, nftables userspace emits instructions to load 2 bytes at the
+position network header + 2 into a so called register and a second
+instruction to compare that register to a given value. IOW, the kernel
+doesn't require knowledge of particular protocols, support for them
+can in most cases be added completely in the nftables frontend.
+
+Data gathered from the packet (or elsewhere) can not only be used for
+matches (called relational expressions in nftables), but for dynamically
+parameterizing other extensions. F.i. the following expression would
+select the DNAT destination address based on the source address of the
+packet:
+
+... dnat ip saddr map {
+ 192.168.0.0/24 : 10.0.0.1,
+ 192.168.1.0/24 : 10.0.0.2,
+ * : 10.0.0.3
+ }
+
+while the following expression would store the input interface index
+in the upper 8 bits of the packet mark to be used in the POSTROUTING
+hook where it is not available anymore:
+
+... mark set iif
+
+Similar to ip_tables, rules are organized in address family specific
+tables and chains. The kernel doesn't include any pre-defined tables
+anymore, they can be created at will from userspace. Special features
+of tables like the NAT table and mangle table are available as so
+called "chain types", which instruct nftables to perform operations
+like setting up NAT mappings or rerouting packets after remarking.
+A set of predefined tables corresponding to the tables existing in
+ip_tables etc is contained in nftables.
+
+Dictionaries, as shown in the previous dnat example, can not only
+be used for parameterizing different extensions, but also to alter
+control flow, allowing to build match trees with efficient branching:
+
+... iif vmap {
+ eth0 : jump from_lan,
+ eth1 : jump from_dmz,
+ eth2 : jump from_wan,
+ * : drop,
+ }
+
+Status
+======
+
+There are still a few rough edges, but we believe the code is ready
+to be used for testing and personal usage. It is not ready for
+production use, but we should be getting there quickly. Userspace
+may occasionally produce an unexpected error for uncommon cases,
+the kernel side is expected to be pretty much solid. Any bugs
+reported will be fixed quickly.
+
+While trying to avoid it when possible, until the 0.1 release we may
+still change the grammar or other things in incompatible ways. This
+should result in only small impact though, most of the grammar is
+expected to stay as it is.
+
+Naming
+======
+
+nftables releases have names. The last release v0.01-alpha1 was named
+schäublefilter, honoring the minister of the interieur of Germany,
+Wolfgang Schäuble, and his attempts to introduce legislation to allow
+the state to crack computers.
+
+Owing to the fact that his term is over since over four years and that
+in retrospective his attempts really seem only alpha, the new release
+is named keith-alexander-filter, in celebration of not being backdoored
+by the NSA so far.
+
+Resources
+=========
+
+The nftables code can be obtained from:
+
+* http://netfilter.org/projects/nftables/downloads.html
+* ftp://ftp.netfilter.org/pub/nftables
+* git://git.netfilter.org/nftables
+
+To build the code, you libnftnl and libmnl are required:
+
+* http://netfilter.org/projects/libnftnl/index.html
+* http://netfilter.org/projects/libmnl/index.html
+
+The iptables compatibility layer is available at:
+
+* git://git.netfilter.org/iptables-nftables
+
+The code should appear on the website and FTP shortly.
+
+Further reading
+===============
+
+While documentation is still scarce at the moment, the next release
+will include a full command reference and further documentation.
+
+The project page on netfilter.org contains some further pointers:
+
+ http://netfilter.org/projects/nftables/index.html
+
+Eric Leblond has written a short howto:
+
+ https://home.regit.org/netfilter-en/nftables-quick-howto/
+
+and has given a presentation on nftables:
+
+ https://home.regit.org/wp-content/uploads/2013/09/2013_kernel_recipes_nftables.pdf
+
+My first presentation on nftables during NFWS 2008 in Paris:
+
+ http://people.netfilter.org/kaber/nfws2008/nftables.odp
+
+And there's a Wiki-page with some further information on the basic
+building blocks, the syntax ...:
+
+ http://people.netfilter.org/wiki-nftables/index.php/Main_Page
+
+Thanks
+======
+
+A lot of people have started contributing to nftables during the past
+1.5 years and helped to get both the kernel and userspace components in
+shape for merging and release. Pablo revived the project after I stopped
+working on it for quite a while, Eric Leblond, Tomasz Burstyka, Arturo
+Borrero, Alvaro Neira and Giuseppe Longo all made important contributions
+to nftables and the surrounding infrastructure.
+
+
+On behalf of the Netfilter Core Team,
+Happy bytecode execution :)
diff --git a/debian/changelog b/debian/changelog
new file mode 100644
index 0000000..9a28583
--- /dev/null
+++ b/debian/changelog
@@ -0,0 +1,235 @@
+nftables (0.7-2) unstable; urgency=medium
+
+ [ Arturo Borrero Gonzalez ]
+ * [058867f] d/control: move package to pkg-netfilter
+
+ [ Martin Dickopp ]
+ * [bf9bd6e] nftables.service: load firewall earlier in the boot process
+ (Closes: #866902)
+
+ [ Arturo Borrero Gonzalez ]
+ * [772f6ea] d/control: bump std-version to 4.0.0
+
+ -- Arturo Borrero Gonzalez <arturo@debian.org> Mon, 03 Jul 2017 09:23:22 +0200
+
+nftables (0.7-1) unstable; urgency=medium
+
+ * [c7b6524] New upstream version 0.7
+ * [b061528] nftables: switch to debhelper compat 10
+ * [33238bc] nftables-dbg: switch to -dbgsym package
+ * [4d838e4] d/control: bump dependency on libnftnl
+ * [0fac534] d/control: refresh kernel version reference in nftables
+ description
+ * [625229a] d/rules: enable hardening
+
+ -- Arturo Borrero Gonzalez <arturo@debian.org> Thu, 22 Dec 2016 11:21:01 +0100
+
+nftables (0.6+snapshot20161117-2) unstable; urgency=medium
+
+ * [078c41a] d/tests/: disable internaltest-py.sh
+ * [0560a63] nftables-dbg: use Multi-Arch: same
+ * [f2ace74] nftables: don't use libxtables11
+
+ -- Arturo Borrero Gonzalez <arturo@debian.org> Wed, 23 Nov 2016 12:43:46 +0100
+
+nftables (0.6+snapshot20161117-1) unstable; urgency=medium
+
+ * [2540606] New upstream version 0.6+snapshot20161117
+ * [8879bd0] d/control: bump build-dep on libnftnl 1.0.6+snapshot20161117
+ * [f90e51c] nftables: enable libxtables integration
+
+ -- Arturo Borrero Gonzalez <arturo@debian.org> Thu, 17 Nov 2016 11:30:33 +0100
+
+nftables (0.6-3) unstable; urgency=medium
+
+ * [c4cacdd] d/: update email address to 'arturo@debian.org'
+
+ -- Arturo Borrero Gonzalez <arturo@debian.org> Mon, 10 Oct 2016 11:10:16 +0200
+
+nftables (0.6-2) unstable; urgency=medium
+
+ * [2ff280b] d/tests/systemd-service-test.sh: dont use echo in the
+ initial warning
+ * [89a01ba] d/tests/internaltests-shell.sh: dont' run testsuite if
+ kernel is < 4.x
+ * [59e6ac2] d/nftables.{postinst,postrm,preinst}: gracefully delete
+ /etc/init.d/nftables (Closes: #833078)
+
+ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Mon, 01 Aug 2016 12:26:56 +0200
+
+nftables (0.6-1) unstable; urgency=medium
+
+ * [5564626] Imported Upstream version 0.6
+ * [65ce938] d/control: bump dependency version on libnftnl
+ * [2127d04] d/control: adjust dependecy on libmnl 1.0.3
+ * [d18e174] d/control: point to linux 4.7 in package descriptions
+
+ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Fri, 03 Jun 2016 10:31:34 +0200
+
+nftables (0.5+snapshot20160509-1) unstable; urgency=medium
+
+ * [5a7c867] d/tests/internaltests-py.sh: run testsuite with installed
+ binary
+ * [b2282c4] d/tests/systemd-service-test.sh: don't run tests if old
+ kernel is present
+ * [b389985] Imported Upstream version 0.5+snapshot20160509
+
+ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Mon, 09 May 2016 13:58:32 +0200
+
+nftables (0.5+snapshot20160426-1) unstable; urgency=medium
+
+ * [955e138] d/tests/systemd-service-test.sh: adapt script to
+ ci.debian.net
+ * [ad1699a] Imported Upstream version 0.5+snapshot20160426
+
+ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Tue, 26 Apr 2016 11:01:18 +0200
+
+nftables (0.5+snapshot20160419-3) unstable; urgency=medium
+
+ * [f1d8880] d/control: bump standars-version to 3.9.8
+ * [65bae17] d/tests: add systemd-service-test.sh
+ * [e2e4cd7] d/tests: include script extension in file names
+ * [fd16851] d/: gracefully delete old config files from /etc/nftables
+ (Closes: #822239)
+ * [af57b91] d/rules: prevent dh_installinit to act on
+ /etc/init.d/nftables
+
+ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Mon, 25 Apr 2016 11:37:00 +0200
+
+nftables (0.5+snapshot20160419-2) unstable; urgency=medium
+
+ * [cf22dca] d/tests/control: internaltests-shell requires kmod
+ * [dd847bb] d/README.Debian: fix several typos
+
+ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Wed, 20 Apr 2016 17:25:50 +0200
+
+nftables (0.5+snapshot20160419-1) unstable; urgency=medium
+
+ * [88b9c37] d/rules: don't add /etc/nftables/ dir to 'nftables' binary package
+ * [e0472f0] sysvinit: the init script is now just an example
+ * [f89907b] examples: restore upstream examples
+ * [8228918] d/nftables.examples: cleanup leftover line regarding upstream
+ examples
+ * [0655029] nftables.conf: provide a skeleton firewall and use the old one as
+ example (Closes: #804648)
+ * [dc504e4] examples/syntax/README: point to the nftables wiki
+ * [ecd9257] examples/syntax/nat: add new example file
+ * [406baf9] examples/syntax/: add a new example file: overview
+ * [3fa3d3e] d/control: bump standards to 3.9.7
+ * [79a8520] Imported Upstream version 0.5+snapshot20160419
+ * [775f2af] d/control: get rid of XS-Testsuite
+ * [9ac90db] d/control: change Vcs-git from git:// to https://
+ * [b4b8ee7] d/control: bump dependency with libnftnl
+ * [9e6b0eb] d/tests: run internal nftables tests (shell)
+ * [f8e3da1] d/tests: run internal nftables tests (py)
+
+ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Wed, 20 Apr 2016 12:00:22 +0200
+
+nftables (0.5+snapshot20151106-1) unstable; urgency=medium
+
+ * [bd1e71f] Imported Upstream version 0.5+snapshot20151106
+ * [b7e3c39] d/control: bump build-dep on libnftnl
+
+ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Fri, 06 Nov 2015 13:32:49 +0100
+
+nftables (0.5-2) unstable; urgency=medium
+
+ * [92938c3] d/rules: get rid of useless commented line
+ * [a04a737] d/: add nftables-dbg binary package
+
+ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Tue, 13 Oct 2015 14:03:25 +0200
+
+nftables (0.5-1) unstable; urgency=medium
+
+ * [007a8d0] Imported Upstream version 0.5
+ * [9a90c87] d/control: nftables 0.5 requires libnftnl >= 1.0.5
+ * [17fdcc1] d/control: update nftables description: linux 4.2 recommended
+ * [a473529] d/copyright: update file to include latest changes in v0.5
+ * [4a9deac] d/copyright: drop copyright for debian/*
+
+ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Fri, 18 Sep 2015 11:44:21 +0200
+
+nftables (0.4-7) unstable; urgency=medium
+
+ [ Vincent Blut ]
+ * [0fc181f] d/copyright: fix missing doc/nft.xml license (Closes: #795096)
+
+ [ Arturo Borrero Gonzalez ]
+ * [ae662e4] d/rules: drop get-orig-source code
+
+ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Mon, 17 Aug 2015 11:20:15 +0200
+
+nftables (0.4-6) unstable; urgency=medium
+
+ * [4f9fbf0] d/tests/control: add restriction to run test as root
+ * [be594d3] nftables.conf: improve icmpv6 support
+
+ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Fri, 15 May 2015 12:53:09 +0200
+
+nftables (0.4-5) unstable; urgency=medium
+
+ * [231244a] sysvinit: don't start the service by default
+
+ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Wed, 06 May 2015 11:56:10 +0200
+
+nftables (0.4-4) unstable; urgency=medium
+
+ * [c8b825e] /etc/init.d/nftables: fix inverted logic in status op.
+ Thanks to Manolo Diaz for the fast report (Closes: #783608)
+ * [2105ccb] source: make the build reproducible
+
+ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Tue, 05 May 2015 12:15:33 +0200
+
+nftables (0.4-3) unstable; urgency=medium
+
+ * [d42d50f] d/nftables.init: doesn't require networking to stop
+ * [ceee9cb] d/nftables.service: the service is of Type=oneshot
+ * [8415993] d/nftables.init: fix bashism in status operation.
+ Thanks to Manolo Diaz for the bug report (Closes: #775875)
+ * [a0e197a] d/tests: add basic autopkgtest support
+
+ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Fri, 20 Mar 2015 21:27:46 +0100
+
+nftables (0.4-2) unstable; urgency=medium
+
+ * Both a /etc/init.d/nftables and a nftables.service files are distributed
+ for admins to easily make nftables theirs system firewalls.
+ * [2237bad] d/nftables.examples: only ship upstream examples, not in
+ /etc/nftables
+
+ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Fri, 09 Jan 2015 14:59:47 +0100
+
+nftables (0.4-1) unstable; urgency=medium
+
+ * [b187410] d/control: bump standars to 3.9.6
+ * [2021272] Imported Upstream version 0.4 (Closes: #773401)
+ * [8b73e74] d/patches/: drop all v0.3 patches
+ * [bff758e] d/control: depends on libnftnl >= 1.0.3
+ * [0e2023b] d/copyright: put more general statement first
+ * [b382dff] d/rules: fix perms of files under /etc/nftables
+ * [96252e6] d/rules: disable silent rules
+
+ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Mon, 22 Dec 2014 10:33:33 +0100
+
+nftables (0.3-1) unstable; urgency=medium
+
+ * [3a4f54a] d/patches: patch to harden the build
+ * [b6c82d5] Imported Upstream version 0.3
+ * [98e5eb7] d/control: depends on libnftnl >= 1.0.2
+
+ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Wed, 25 Jun 2014 19:02:59 +0200
+
+nftables (0.2-2) unstable; urgency=low
+
+ * [6aa52bf] d/README.Debian: fix Patrick McHardy name
+ * [ca0e8ba] d/nftables.links: fix broken links file
+ * [7492a48] d/rules: delete override for dh_auto_test
+ * [1aca9dd] d/patches: improve verbose_build.patch
+
+ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Tue, 27 May 2014 11:14:48 +0200
+
+nftables (0.2-1) unstable; urgency=low
+
+ * Initial release (Closes: #522176)
+
+ -- Arturo Borrero Gonzalez <arturo.borrero.glez@gmail.com> Fri, 09 May 2014 19:22:44 +0100
diff --git a/debian/compat b/debian/compat
new file mode 100644
index 0000000..f599e28
--- /dev/null
+++ b/debian/compat
@@ -0,0 +1 @@
+10
diff --git a/debian/control b/debian/control
new file mode 100644
index 0000000..ec3731a
--- /dev/null
+++ b/debian/control
@@ -0,0 +1,39 @@
+Source: nftables
+Section: net
+Priority: extra
+Maintainer: Debian Netfilter Packaging Team <pkg-netfilter-team@lists.alioth.debian.org>
+Uploaders: Arturo Borrero Gonzalez <arturo@debian.org>
+Build-Depends: automake,
+ bison,
+ debhelper (>= 10),
+ dh-autoreconf,
+ dh-systemd,
+ docbook2x,
+ flex,
+ libgmp-dev,
+ libmnl-dev (>= 1.0.3),
+ libnftnl-dev (>= 1.0.7),
+ libreadline-dev,
+ libxtables-dev (>= 1.6.0+snapshot20161117-4),
+ libtool (>=2.2.6)
+Standards-Version: 4.0.0
+Homepage: http://www.netfilter.org/
+Vcs-Git: https://anonscm.debian.org/git/pkg-netfilter/pkg-nftables.git/
+Vcs-Browser: https://anonscm.debian.org/cgit/pkg-netfilter/pkg-nftables.git/
+
+Package: nftables
+Architecture: linux-any
+Pre-Depends: dpkg (>= 1.15.7.2)
+Depends: ${misc:Depends}, ${shlibs:Depends}
+Description: Program to control packet filtering rules by Netfilter project
+ These are the user-space administration tools for the Linux
+ kernel's netfilter and nftables. netfilter and nftables provide
+ a framework for stateful and stateless packet filtering, network
+ and port address translation, and other IP packet manipulation.
+ The framework is the successor to iptables.
+ .
+ Netfilter and nftables are used in applications such as Internet
+ connection sharing, firewalls, IP accounting, transparent proxying,
+ advanced routing and traffic control.
+ .
+ A Linux kernel >= 3.13 is required. However, >= 4.10 is recommended.
diff --git a/debian/copyright b/debian/copyright
new file mode 100644
index 0000000..666cf7c
--- /dev/null
+++ b/debian/copyright
@@ -0,0 +1,456 @@
+Format: http://www.debian.org/doc/packaging-manuals/copyright-format/1.0/
+Upstream-Name: nftables
+Source: http://git.netfilter.org/nftables
+
+Files: *
+Copyright: 2008 Patrick McHardy <kaber@trash.net>
+License: GPL-2
+
+Files: src/netlink.c
+Copyright: 2008-2012 Patrick McHardy <kaber@trash.net>
+ 2013 Pablo Neira Ayuso <pablo@netfilter.org>
+License: GPL-2
+
+Files: src/netlink_delinearize.c src/netlink_linearize.c
+Copyright: 2008 Patrick McHardy <kaber@trash.net>
+ 2013 Pablo Neira Ayuso <pablo@netfilter.org>
+License: GPL-2
+
+Files: src/mnl.c
+Copyright: 2013 Pablo Neira Ayuso <pablo@netfilter.org>
+License: GPL-2
+
+Files: src/iface.c
+Copyright: 2015 Pablo Neira Ayuso <pablo@netfilter.org>
+License: GPL-2
+
+Files: src/mini-gmp.c
+Copyright: 1991-1997, 1999-2014, Free Software Foundation, Inc
+License: GPL-2+
+
+Files: include/linux/netfilter_arp.h
+Copyright: 2002 Rusty Russell - IBM
+License: GPL-2
+
+Files: include/linux/netfilter_decnet.h
+Copyright: 1999 Steve Whitehouse
+ 1998 Rusty Russell
+License: GPL-2
+
+Files: include/linux/netfilter_ipv6.h
+Copyright: 1998 Rusty Russell
+ 1999 David Jeffery
+License: GPL-2
+
+Files: include/linux/netfilter_ipv4.h
+Copyright: 1998 Rusty Russell
+License: GPL-2
+
+Files: src/rbtree.c include/rbtree.h
+Copyright: 1999 Andrea Arcangelli <andrea@suse.de>
+ 2002 David Woodhouse <dwmw2@infradead.org>
+License: GPL-2+
+
+Files: doc/nft.xml
+Copyright: 2008-2014 Patrick McHardy <kaber@trash.net>
+License: CC-BY-SA-4.0
+
+License: GPL-2
+ This program is free software; you can redistribute it and/or modify
+ it under the terms of the GNU Library General Public License as published by
+ the Free Software Foundation.
+ .
+ This program is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU Library General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>
+ .
+ On Debian systems, the complete text of the GNU General
+ Public License version 2 can be found in "/usr/share/common-licenses/GPL-2".
+
+License: GPL-2+
+ This package is free software; you can redistribute it and/or modify
+ it under the terms of the GNU General Public License as published by
+ the Free Software Foundation; either version 2 of the License, or
+ (at your option) any later version.
+ .
+ This package is distributed in the hope that it will be useful,
+ but WITHOUT ANY WARRANTY; without even the implied warranty of
+ MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the
+ GNU General Public License for more details.
+ .
+ You should have received a copy of the GNU General Public License
+ along with this program. If not, see <http://www.gnu.org/licenses/>
+ .
+ On Debian systems, the complete text of the GNU General
+ Public License version 2 can be found in "/usr/share/common-licenses/GPL-2".
+
+License: CC-BY-SA-4.0
+ Creative Commons Attribution-ShareAlike 4.0 International
+ .
+ Creative Commons Corporation (“Creative Commons”) is not a law firm and does
+ not provide legal services or legal advice. Distribution of Creative Commons
+ public licenses does not create a lawyer-client or other relationship.
+ Creative Commons makes its licenses and related information available on an
+ “as-is” basis. Creative Commons gives no warranties regarding its licenses,
+ any material licensed under their terms and conditions, or any related
+ information. Creative Commons disclaims all liability for damages resulting
+ from their use to the fullest extent possible. Using Creative Commons Public
+ Licenses Creative Commons public licenses provide a standard set of terms and
+ conditions that creators and other rights holders may use to share original
+ works of authorship and other material subject to copyright and certain other
+ rights specified in the public license below. The following considerations
+ are for informational purposes only, are not exhaustive, and do not form part
+ of our licenses. Considerations for licensors: Our public licenses are
+ intended for use by those authorized to give the public permission to use
+ material in ways otherwise restricted by copyright and certain other rights.
+ Our licenses are irrevocable. Licensors should read and understand the terms
+ and conditions of the license they choose before applying it. Licensors
+ should also secure all rights necessary before applying our licenses so that
+ the public can reuse the material as expected. Licensors should clearly mark
+ any material not subject to the license. This includes other CC-licensed
+ material, or material used under an exception or limitation to copyright.
+ More considerations for licensors. Considerations for the public: By using
+ one of our public licenses, a licensor grants the public permission to use
+ the licensed material under specified terms and conditions. If the licensor’s
+ permission is not necessary for any reason–for example, because of any
+ applicable exception or limitation to copyright–then that use is not
+ regulated by the license. Our licenses grant only permissions under copyright
+ and certain other rights that a licensor has authority to grant. Use of
+ the licensed material may still be restricted for other reasons, including
+ because others have copyright or other rights in the material. A licensor
+ may make special requests, such as asking that all changes be marked or
+ described. Although not required by our licenses, you are encouraged to
+ respect those requests where reasonable. More considerations for the public.
+ .
+ Creative Commons Attribution-ShareAlike 4.0 International Public License
+ .
+ By exercising the Licensed Rights (defined below), You accept and agree
+ to be bound by the terms and conditions of this Creative Commons
+ Attribution-ShareAlike 4.0 International Public License ("Public License").
+ To the extent this Public License may be interpreted as a contract, You are
+ granted the Licensed Rights in consideration of Your acceptance of these
+ terms and conditions, and the Licensor grants You such rights in consideration
+ of benefits the Licensor receives from making the Licensed Material available
+ under these terms and conditions.
+ .
+ Section 1 – Definitions.
+ .
+ a. Adapted Material means material subject to Copyright and Similar Rights
+ that is derived from or based upon the Licensed Material and in which the
+ Licensed Material is translated, altered, arranged, transformed, or
+ otherwise modified in a manner requiring permission under the Copyright
+ and Similar Rights held by the Licensor. For purposes of this Public
+ License, where the Licensed Material is a musical work, performance, or
+ sound recording, Adapted Material is always produced where the Licensed
+ Material is synched in timed relation with a moving image.
+ .
+ b. Adapter's License means the license You apply to Your Copyright and
+ Similar Rights in Your contributions to Adapted Material in accordance
+ with the terms and conditions of this Public License.
+ .
+ c. BY-SA Compatible License means a license listed at
+ creativecommons.org/compatiblelicenses, approved by Creative Commons
+ as essentially the equivalent of this Public License.
+ .
+ d. Copyright and Similar Rights means copyright and/or similar rights closely
+ related to copyright including, without limitation, performance,
+ broadcast, sound recording, and Sui Generis Database Rights, without
+ regard to how the rights are labeled or categorized. For purposes of this
+ Public License, the rights specified in Section 2(b)(1)-(2) are not
+ Copyright and Similar Rights.
+ .
+ e. Effective Technological Measures means those measures that, in the absence
+ of proper authority, may not be circumvented under laws fulfilling
+ obligations under Article 11 of the WIPO Copyright Treaty adopted on
+ December 20, 1996, and/or similar international agreements.
+ .
+ f. Exceptions and Limitations means fair use, fair dealing, and/or any other
+ exception or limitation to Copyright and Similar Rights that applies to
+ Your use of the Licensed Material.
+ .
+ g. License Elements means the license attributes listed in the name of a
+ Creative Commons Public License. The License Elements of this Public
+ License are Attribution and ShareAlike.
+ .
+ h. Licensed Material means the artistic or literary work, database, or other
+ material to which the Licensor applied this Public License.
+ .
+ i. Licensed Rights means the rights granted to You subject to the terms and
+ conditions of this Public License, which are limited to all Copyright and
+ Similar Rights that apply to Your use of the Licensed Material and that
+ the Licensor has authority to license.
+ .
+ j. Licensor means the individual(s) or entity(ies) granting rights under this
+ Public License.
+ .
+ k. Share means to provide material to the public by any means or process that
+ requires permission under the Licensed Rights, such as reproduction,
+ public display, public performance, distribution, dissemination,
+ communication, or importation, and to make material available to the
+ public including in ways that members of the public may access the
+ material from a place and at a time individually chosen by them.
+ .
+ l. Sui Generis Database Rights means rights other than copyright resulting
+ from Directive 96/9/EC of the European Parliament and of the Council of
+ 11 March 1996 on the legal protection of databases, as amended and/or
+ succeeded, as well as other essentially equivalent rights anywhere in the
+ world.
+ .
+ m. You means the individual or entity exercising the Licensed Rights under
+ this Public License. Your has a corresponding meaning.
+ .
+ Section 2 – Scope.
+ .
+ a. License grant.
+ .
+ 1. Subject to the terms and conditions of this Public License, the
+ Licensor hereby grants You a worldwide, royalty-free,
+ non-sublicensable, non-exclusive, irrevocable license to exercise
+ the Licensed Rights in the Licensed Material to:
+ .
+ A. reproduce and Share the Licensed Material, in whole or in part; and
+ B. produce, reproduce, and Share Adapted Material.
+ .
+ 2. Exceptions and Limitations. For the avoidance of doubt, where
+ Exceptions and Limitations apply to Your use, this Public License
+ does not apply, and You do not need to comply with its terms and
+ conditions.
+ .
+ 3. Term. The term of this Public License is specified in Section 6(a).
+ .
+ 4. Media and formats; technical modifications allowed. The Licensor
+ authorizes You to exercise the Licensed Rights in all media and
+ formats whether now known or hereafter created, and to make
+ technical modifications necessary to do so. The Licensor waives
+ and/or agrees not to assert any right or authority to forbid You
+ from making technical modifications necessary to exercise the
+ Licensed Rights, including technical modifications necessary to
+ circumvent Effective Technological Measures. For purposes of this
+ Public License, simply making modifications authorized by this
+ Section 2(a)(4) never produces Adapted Material.
+ .
+ 5. Downstream recipients.
+ .
+ A. Offer from the Licensor – Licensed Material. Every recipient of
+ the Licensed Material automatically receives an offer from the
+ Licensor to exercise the Licensed Rights under the terms and
+ conditions of this Public License.
+ .
+ B. Additional offer from the Licensor – Adapted Material. Every
+ recipient of Adapted Material from You automatically receives an
+ offer from the Licensor to exercise the Licensed Rights in the
+ Adapted Material under the conditions of the Adapter’s License
+ You apply.
+ .
+ C. No downstream restrictions. You may not offer or impose any
+ additional or different terms or conditions on, or apply any
+ Effective Technological Measures to, the Licensed Material if
+ doing so restricts exercise of the Licensed Rights by any
+ recipient of the Licensed Material.
+ .
+ 6. No endorsement. Nothing in this Public License constitutes or may be
+ construed as permission to assert or imply that You are, or that Your
+ use of the Licensed Material is, connected with, or sponsored,
+ endorsed, or granted official status by, the Licensor or others
+ designated to receive attribution as provided in Section 3(a)(1)(A)(i).
+ .
+ b. Other rights.
+ .
+ 1. Moral rights, such as the right of integrity, are not licensed under
+ this Public License, nor are publicity, privacy, and/or other similar
+ personality rights; however, to the extent possible, the Licensor
+ waives and/or agrees not to assert any such rights held by the
+ Licensor to the limited extent necessary to allow You to exercise the
+ Licensed Rights, but not otherwise.
+ .
+ 2. Patent and trademark rights are not licensed under this Public License.
+ .
+ 3. To the extent possible, the Licensor waives any right to collect
+ royalties from You for the exercise of the Licensed Rights, whether
+ directly or through a collecting society under any voluntary or
+ waivable statutory or compulsory licensing scheme. In all other
+ cases the Licensor expressly reserves any right to collect such
+ royalties.
+ .
+ Section 3 – License Conditions.
+ .
+ Your exercise of the Licensed Rights is expressly made subject to the
+ following conditions.
+ .
+ a. Attribution.
+ .
+ 1. If You Share the Licensed Material (including in modified form),
+ You must:
+ .
+ A. retain the following if it is supplied by the Licensor with
+ the Licensed Material:
+ .
+ i. identification of the creator(s) of the Licensed Material
+ and any others designated to receive attribution, in any
+ reasonable manner requested by the Licensor (including by
+ pseudonym if designated);
+ .
+ ii. a copyright notice;
+ .
+ iii. a notice that refers to this Public License;
+ .
+ iv. a notice that refers to the disclaimer of warranties;
+ .
+ v. a URI or hyperlink to the Licensed Material to the extent
+ reasonably practicable;
+ .
+ B. indicate if You modified the Licensed Material and retain an
+ indication of any previous modifications; and
+ .
+ C. indicate the Licensed Material is licensed under this Public
+ License, and include the text of, or the URI or hyperlink to,
+ this Public License.
+ .
+ 2. You may satisfy the conditions in Section 3(a)(1) in any reasonable
+ manner based on the medium, means, and context in which You Share
+ the Licensed Material. For example, it may be reasonable to satisfy
+ the conditions by providing a URI or hyperlink to a resource that
+ includes the required information.
+ .
+ 3. If requested by the Licensor, You must remove any of the information
+ required by Section 3(a)(1)(A) to the extent reasonably practicable.
+ .
+ b. ShareAlike.In addition to the conditions in Section 3(a), if You Share
+ Adapted Material You produce, the following conditions also apply.
+ .
+ 1. The Adapter’s License You apply must be a Creative Commons license
+ with the same License Elements, this version or later, or a BY-SA
+ Compatible License.
+ .
+ 2. You must include the text of, or the URI or hyperlink to, the
+ Adapter's License You apply. You may satisfy this condition in
+ any reasonable manner based on the medium, means, and context in
+ which You Share Adapted Material.
+ .
+ 3. You may not offer or impose any additional or different terms or
+ conditions on, or apply any Effective Technological Measures to,
+ Adapted Material that restrict exercise of the rights granted under
+ the Adapter's License You apply.
+ .
+ Section 4 – Sui Generis Database Rights.
+ .
+ Where the Licensed Rights include Sui Generis Database Rights that apply to
+ Your use of the Licensed Material:
+ .
+ a. for the avoidance of doubt, Section 2(a)(1) grants You the right to
+ extract, reuse, reproduce, and Share all or a substantial portion of
+ the contents of the database;
+ .
+ b. if You include all or a substantial portion of the database contents
+ in a database in which You have Sui Generis Database Rights, then the
+ database in which You have Sui Generis Database Rights (but not its
+ individual contents) is Adapted Material, including for purposes of
+ Section 3(b); and
+ .
+ c. You must comply with the conditions in Section 3(a) if You Share all
+ or a substantial portion of the contents of the database.
+ For the avoidance of doubt, this Section 4 supplements and does not
+ replace Your obligations under this Public License where the Licensed
+ Rights include other Copyright and Similar Rights.
+ .
+ Section 5 – Disclaimer of Warranties and Limitation of Liability.
+ .
+ a. Unless otherwise separately undertaken by the Licensor, to the extent
+ possible, the Licensor offers the Licensed Material as-is and
+ as-available, and makes no representations or warranties of any kind
+ concerning the Licensed Material, whether express, implied, statutory,
+ or other. This includes, without limitation, warranties of title,
+ merchantability, fitness for a particular purpose, non-infringement,
+ absence of latent or other defects, accuracy, or the presence or
+ absence of errors, whether or not known or discoverable. Where
+ disclaimers of warranties are not allowed in full or in part, this
+ disclaimer may not apply to You.
+ .
+ b. To the extent possible, in no event will the Licensor be liable to
+ You on any legal theory (including, without limitation, negligence)
+ or otherwise for any direct, special, indirect, incidental,
+ consequential, punitive, exemplary, or other losses, costs, expenses,
+ or damages arising out of this Public License or use of the Licensed
+ Material, even if the Licensor has been advised of the possibility of
+ such losses, costs, expenses, or damages. Where a limitation of
+ liability is not allowed in full or in part, this limitation may not
+ apply to You.
+ .
+ c. The disclaimer of warranties and limitation of liability provided above
+ shall be interpreted in a manner that, to the extent possible, most
+ closely approximates an absolute disclaimer and waiver of all liability.
+ .
+ Section 6 – Term and Termination.
+ .
+ a. This Public License applies for the term of the Copyright and Similar
+ Rights licensed here. However, if You fail to comply with this Public
+ License, then Your rights under this Public License terminate
+ automatically.
+ .
+ b. Where Your right to use the Licensed Material has terminated under
+ Section 6(a), it reinstates:
+ .
+ 1. automatically as of the date the violation is cured, provided it
+ is cured within 30 days of Your discovery of the violation; or
+ .
+ 2. upon express reinstatement by the Licensor.
+ .
+ c. For the avoidance of doubt, this Section 6(b) does not affect any right
+ the Licensor may have to seek remedies for Your violations of this Public
+ License.
+ .
+ d. For the avoidance of doubt, the Licensor may also offer the Licensed
+ Material under separate terms or conditions or stop distributing the
+ Licensed Material at any time; however, doing so will not terminate
+ this Public License.
+ .
+ e. Sections 1, 5, 6, 7, and 8 survive termination of this Public License.
+ .
+ Section 7 – Other Terms and Conditions.
+ .
+ a. The Licensor shall not be bound by any additional or different terms
+ or conditions communicated by You unless expressly agreed.
+ .
+ b. Any arrangements, understandings, or agreements regarding the Licensed
+ Material not stated herein are separate from and independent of the
+ terms and conditions of this Public License.
+ .
+ Section 8 – Interpretation.
+ .
+ a. For the avoidance of doubt, this Public License does not, and shall
+ not be interpreted to, reduce, limit, restrict, or impose conditions
+ on any use of the Licensed Material that could lawfully be made without
+ permission under this Public License.
+ .
+ b. To the extent possible, if any provision of this Public License is
+ deemed unenforceable, it shall be automatically reformed to the minimum
+ extent necessary to make it enforceable. If the provision cannot be
+ reformed, it shall be severed from this Public License without affecting
+ the enforceability of the remaining terms and conditions.
+ .
+ c. No term or condition of this Public License will be waived and no
+ failure to comply consented to unless expressly agreed to by the
+ Licensor.
+ .
+ d. Nothing in this Public License constitutes or may be interpreted as a
+ limitation upon, or waiver of, any privileges and immunities that apply
+ to the Licensor or You, including from the legal processes of any
+ jurisdiction or authority.
+ .
+ Creative Commons is not a party to its public licenses. Notwithstanding,
+ Creative Commons may elect to apply one of its public licenses to material
+ it publishes and in those instances will be considered the “Licensor.”
+ Except for the limited purpose of indicating that material is shared under
+ a Creative Commons public license or as otherwise permitted by the Creative
+ Commons policies published at creativecommons.org/policies, Creative Commons
+ does not authorize the use of the trademark “Creative Commons” or any other
+ trademark or logo of Creative Commons without its prior written consent
+ including, without limitation, in connection with any unauthorized
+ modifications to any of its public licenses or any other arrangements,
+ understandings, or agreements concerning use of licensed material. For the
+ avoidance of doubt, this paragraph does not form part of the public licenses.
+ Creative Commons may be contacted at creativecommons.org.
diff --git a/debian/examples/syntax/README b/debian/examples/syntax/README
new file mode 100644
index 0000000..3c0ff46
--- /dev/null
+++ b/debian/examples/syntax/README
@@ -0,0 +1,13 @@
+These are some examples of the nftables syntax.
+
+You may find example configurations for different families and operations (nat,
+filter, mangle).
+
+Also, you may find concrete configurations models, for example a simple
+ruleset for a workstation.
+
+For up-to-date information about syntax and usage, head to the official
+wiki at: http://wiki.nftables.org
+---
+ The nftables package Debian maintainer,
+ Arturo Borrero Gonzalez - 13/Nov/2015
diff --git a/debian/examples/syntax/nat b/debian/examples/syntax/nat
new file mode 100644
index 0000000..ec17b02
--- /dev/null
+++ b/debian/examples/syntax/nat
@@ -0,0 +1,30 @@
+#!/usr/sbin/nft -f
+
+table ip nat {
+ chain prerouting {
+ type nat hook prerouting priority 0;
+
+ #Thanks to nftables maps, if you have a previous iptables NAT (destination NAT) ruleset like this:
+ # % iptables -t nat -A PREROUTING -p tcp --dport 1000 -j DNAT --to-destination 1.1.1.1:1234
+ # % iptables -t nat -A PREROUTING -p udp --dport 2000 -j DNAT --to-destination 2.2.2.2:2345
+ # % iptables -t nat -A PREROUTING -p tcp --dport 3000 -j DNAT --to-destination 3.3.3.3:3456
+
+ # It can be easily translated to nftables in a single line:
+
+ dnat tcp dport map { 1000 : 1.1.1.1, 2000 : 2.2.2.2, 3000 : 3.3.3.3} \
+ : tcp dport map { 1000 : 1234, 2000 : 2345, 3000 : 3456 }
+ }
+
+ chain postrouting {
+ type nat hook postrouting priority 0;
+
+ #Likewise, in iptables NAT (source NAT):
+ # % iptables -t nat -A POSTROUTING -s 192.168.1.1 -j SNAT --to-source 1.1.1.1
+ # % iptables -t nat -A POSTROUTING -s 192.168.2.2 -j SNAT --to-source 2.2.2.2
+ # % iptables -t nat -A POSTROUTING -s 192.168.3.3 -j SNAT --to-source 3.3.3.3
+
+ # Translated to a nftables one-liner:
+
+ snat ip saddr map { 192.168.1.1 : 1.1.1.1, 192.168.2.2 : 2.2.2.2, 192.168.3.3 : 3.3.3.3 }
+ }
+}
diff --git a/debian/examples/syntax/overview b/debian/examples/syntax/overview
new file mode 100644
index 0000000..95465c2
--- /dev/null
+++ b/debian/examples/syntax/overview
@@ -0,0 +1,56 @@
+#!/usr/sbin/nft -f
+
+table inet overview_test_table {
+ chain overview_test_chain {
+ #
+ # simple selectors
+ #
+
+ # source & destination address
+ ip saddr 1.1.1.1 ip daddr 2.2.2.2
+
+ # tcp or udp ports
+ tcp dport 123
+ udp sport 123
+
+ # using sets
+ ip saddr {1.1.1.1, 2.2.2.2} ip daddr {3.3.3.3, 4.4.4.4} tcp dport {22, 80, 443}
+
+ # packets meta information: nic names
+ iifname eth0 oifname eth1
+
+ # packets meta information: nic index
+ iif bond0 oif bond1
+
+ # conntrack engine states
+ ct state new,established
+ ct state invalid
+ ct state established,related
+
+ #
+ # simple verdicts (iptables targets)
+ #
+
+ # counter and drop all traffic
+ counter drop
+
+ # accept all traffic
+ accept
+
+ #
+ # rejecting traffic (more info at http://wiki.nftables.org/)
+ #
+
+ # counter and reject all traffic
+ counter reject
+
+ # reject with a concrete ICMP code (reject
+ reject with icmp type host-unreachable
+
+ # reject with a concrete ICMPv6 code
+ reject with icmpv6 type no-route
+
+ # multi-family reject, using the icmpx keyword
+ reject with icmpx type admin-prohibited
+ }
+}
diff --git a/debian/examples/syntax/workstation b/debian/examples/syntax/workstation
new file mode 100644
index 0000000..a3697b9
--- /dev/null
+++ b/debian/examples/syntax/workstation
@@ -0,0 +1,24 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+ chain input {
+ type filter hook input priority 0;
+
+ # accept any localhost traffic
+ iif lo accept
+
+ # accept traffic originated from us
+ ct state established,related accept
+
+ # activate the following line to accept common local services
+ #tcp dport { 22, 80, 443 } ct state new accept
+
+ # accept neighbour discovery otherwise IPv6 connectivity breaks.
+ ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
+
+ # count and drop any other traffic
+ counter drop
+ }
+}
diff --git a/debian/examples/sysvinit/README b/debian/examples/sysvinit/README
new file mode 100644
index 0000000..b1002f6
--- /dev/null
+++ b/debian/examples/sysvinit/README
@@ -0,0 +1,14 @@
+The file /usr/share/doc/nftables/examples/sysvinit/nftables.init is a typical
+sysvinit script for you to use as /etc/init.d/nftables.
+
+Given Debian default init system is systemd, I have no intention to support
+sysvinit apart of providing this example file.
+
+Read the script carefully before using it, as is just an example.
+You will likely require to manually edit and install the script in order to
+properly use it.
+
+I will probably drop all sysvinit-related stuff like this in the future.
+---
+ The nftables package Debian maintainer,
+ Arturo Borrero Gonzalez - 12/Nov/2015
diff --git a/debian/examples/sysvinit/nftables.init b/debian/examples/sysvinit/nftables.init
new file mode 100644
index 0000000..777d393
--- /dev/null
+++ b/debian/examples/sysvinit/nftables.init
@@ -0,0 +1,122 @@
+#!/bin/sh
+### BEGIN INIT INFO
+# Provides: nftables
+# Required-Start: $local_fs $network $remote_fs $syslog
+# Required-Stop: $local_fs $remote_fs $syslog
+# Default-Start:
+# Default-Stop: 0 1 2 3 4 5 6
+# Short-Description: nftables firewall service
+# Description: nftables firewall system service
+### END INIT INFO
+
+# Author: Arturo Borrero Gonzalez <arturo@debian.org>
+
+# Do NOT "set -e"
+
+CONF=/etc/nftables.conf
+
+# PATH should only include /usr/* if it runs after the mountnfs.sh script
+PATH=/sbin:/usr/sbin:/bin:/usr/bin
+DESC="firewall service"
+NAME=nftables
+BIN=/usr/sbin/nft
+SCRIPTNAME=/etc/init.d/$NAME
+
+# Exit if the package is not installed
+[ -x "$BIN" ] || exit 0
+
+# Load the VERBOSE setting and other rcS variables
+. /lib/init/vars.sh
+
+# Define LSB log_* functions.
+# Depend on lsb-base (>= 3.2-14) to ensure that this file is present
+# and status_of_proc is working.
+. /lib/lsb/init-functions
+
+do_start()
+{
+ # Return
+ # 0 if start OK
+ # 2 if start NOK
+
+ # nft v0.4 return 0 if ENOENT $CONF
+ if [ ! -r "$CONF" ] ; then
+ echo "E: No such $NAME $DESC config file $CONF" >&2
+ return 2
+ fi
+
+ $BIN -f $CONF || return 2
+}
+
+do_stop()
+{
+ # Return
+ # 0 if stopped
+ # 1 if already stopped
+ # 2 if could not be stopped
+ if ! do_status ; then
+ $BIN flush ruleset || return 2
+ fi
+}
+
+do_status()
+{
+ # Return
+ # 0 if no rules
+ # 1 if rules
+ if [ "$($BIN list ruleset 2>/dev/null | wc -l)" = "0" ] ; then
+ return 0
+ fi
+
+ return 1
+}
+
+case "$1" in
+ start)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Starting $DESC" "$NAME"
+ do_start
+ ret="$?"
+ case "$ret" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ exit $ret
+ ;;
+ restart|force-reload)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Restarting $DESC" "$NAME"
+ do_start
+ ret="$?"
+ case "$ret" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ exit $ret
+ ;;
+ stop)
+ [ "$VERBOSE" != no ] && log_daemon_msg "Stopping $DESC" "$NAME"
+ do_stop
+ ret="$?"
+ case "$ret" in
+ 0|1) [ "$VERBOSE" != no ] && log_end_msg 0 ;;
+ 2) [ "$VERBOSE" != no ] && log_end_msg 1 ;;
+ esac
+ exit $ret
+ ;;
+ status)
+ if ! do_status ; then
+ [ "$VERBOSE" != no ] && log_daemon_msg "Status of ${DESC}: rules loaded" "$NAME"
+ [ "$VERBOSE" != no ] && log_end_msg 0
+ exit 0
+ else
+ [ "$VERBOSE" != no ] && log_daemon_msg "Status of ${DESC}: no rules loaded" "$NAME"
+ [ "$VERBOSE" != no ] && log_end_msg 1
+ exit 1
+ fi
+ ;;
+ *)
+ echo "Usage: $SCRIPTNAME {start|stop|status|restart|force-reload}" >&2
+ exit 3
+ ;;
+esac
+
+:
diff --git a/debian/nftables.conf b/debian/nftables.conf
new file mode 100644
index 0000000..a58f4ce
--- /dev/null
+++ b/debian/nftables.conf
@@ -0,0 +1,15 @@
+#!/usr/sbin/nft -f
+
+flush ruleset
+
+table inet filter {
+ chain input {
+ type filter hook input priority 0;
+ }
+ chain forward {
+ type filter hook forward priority 0;
+ }
+ chain output {
+ type filter hook output priority 0;
+ }
+}
diff --git a/debian/nftables.examples b/debian/nftables.examples
new file mode 100644
index 0000000..55b78ae
--- /dev/null
+++ b/debian/nftables.examples
@@ -0,0 +1 @@
+debian/examples/*
diff --git a/debian/nftables.install b/debian/nftables.install
new file mode 100644
index 0000000..0114207
--- /dev/null
+++ b/debian/nftables.install
@@ -0,0 +1 @@
+debian/nftables.conf etc
diff --git a/debian/nftables.links b/debian/nftables.links
new file mode 100644
index 0000000..c092691
--- /dev/null
+++ b/debian/nftables.links
@@ -0,0 +1 @@
+usr/share/man/man8/nft.8.gz usr/share/man/man8/nftables.8.gz
diff --git a/debian/nftables.postinst b/debian/nftables.postinst
new file mode 100644
index 0000000..90b1331
--- /dev/null
+++ b/debian/nftables.postinst
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+set -e
+
+dpkg-maintscript-helper rm_conffile \
+ /etc/nftables/bridge-filter \
+ 0.5+snapshot20151106-1 nftables -- "$@"
+
+dpkg-maintscript-helper rm_conffile \
+ /etc/nftables/inet-filter \
+ 0.5+snapshot20151106-1 nftables -- "$@"
+
+dpkg-maintscript-helper rm_conffile \
+ /etc/nftables/ipv4-filter \
+ 0.5+snapshot20151106-1 nftables -- "$@"
+
+dpkg-maintscript-helper rm_conffile \
+ /etc/nftables/ipv4-mangle \
+ 0.5+snapshot20151106-1 nftables -- "$@"
+
+dpkg-maintscript-helper rm_conffile \
+ /etc/nftables/ipv4-nat \
+ 0.5+snapshot20151106-1 nftables -- "$@"
+
+dpkg-maintscript-helper rm_conffile \
+ /etc/nftables/ipv6-filter \
+ 0.5+snapshot20151106-1 nftables -- "$@"
+
+dpkg-maintscript-helper rm_conffile \
+ /etc/nftables/ipv6-mangle \
+ 0.5+snapshot20151106-1 nftables -- "$@"
+
+dpkg-maintscript-helper rm_conffile \
+ /etc/nftables/ipv6-nat \
+ 0.5+snapshot20151106-1 nftables -- "$@"
+
+dpkg-maintscript-helper rm_conffile \
+ /etc/init.d/nftables \
+ 0.6-1~ nftables -- "$@"
+
+#DEBHELPER#
diff --git a/debian/nftables.postrm b/debian/nftables.postrm
new file mode 100644
index 0000000..90b1331
--- /dev/null
+++ b/debian/nftables.postrm
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+set -e
+
+dpkg-maintscript-helper rm_conffile \
+ /etc/nftables/bridge-filter \
+ 0.5+snapshot20151106-1 nftables -- "$@"
+
+dpkg-maintscript-helper rm_conffile \
+ /etc/nftables/inet-filter \
+ 0.5+snapshot20151106-1 nftables -- "$@"
+
+dpkg-maintscript-helper rm_conffile \
+ /etc/nftables/ipv4-filter \
+ 0.5+snapshot20151106-1 nftables -- "$@"
+
+dpkg-maintscript-helper rm_conffile \
+ /etc/nftables/ipv4-mangle \
+ 0.5+snapshot20151106-1 nftables -- "$@"
+
+dpkg-maintscript-helper rm_conffile \
+ /etc/nftables/ipv4-nat \
+ 0.5+snapshot20151106-1 nftables -- "$@"
+
+dpkg-maintscript-helper rm_conffile \
+ /etc/nftables/ipv6-filter \
+ 0.5+snapshot20151106-1 nftables -- "$@"
+
+dpkg-maintscript-helper rm_conffile \
+ /etc/nftables/ipv6-mangle \
+ 0.5+snapshot20151106-1 nftables -- "$@"
+
+dpkg-maintscript-helper rm_conffile \
+ /etc/nftables/ipv6-nat \
+ 0.5+snapshot20151106-1 nftables -- "$@"
+
+dpkg-maintscript-helper rm_conffile \
+ /etc/init.d/nftables \
+ 0.6-1~ nftables -- "$@"
+
+#DEBHELPER#
diff --git a/debian/nftables.preinst b/debian/nftables.preinst
new file mode 100644
index 0000000..90b1331
--- /dev/null
+++ b/debian/nftables.preinst
@@ -0,0 +1,41 @@
+#!/bin/bash
+
+set -e
+
+dpkg-maintscript-helper rm_conffile \
+ /etc/nftables/bridge-filter \
+ 0.5+snapshot20151106-1 nftables -- "$@"
+
+dpkg-maintscript-helper rm_conffile \
+ /etc/nftables/inet-filter \
+ 0.5+snapshot20151106-1 nftables -- "$@"
+
+dpkg-maintscript-helper rm_conffile \
+ /etc/nftables/ipv4-filter \
+ 0.5+snapshot20151106-1 nftables -- "$@"
+
+dpkg-maintscript-helper rm_conffile \
+ /etc/nftables/ipv4-mangle \
+ 0.5+snapshot20151106-1 nftables -- "$@"
+
+dpkg-maintscript-helper rm_conffile \
+ /etc/nftables/ipv4-nat \
+ 0.5+snapshot20151106-1 nftables -- "$@"
+
+dpkg-maintscript-helper rm_conffile \
+ /etc/nftables/ipv6-filter \
+ 0.5+snapshot20151106-1 nftables -- "$@"
+
+dpkg-maintscript-helper rm_conffile \
+ /etc/nftables/ipv6-mangle \
+ 0.5+snapshot20151106-1 nftables -- "$@"
+
+dpkg-maintscript-helper rm_conffile \
+ /etc/nftables/ipv6-nat \
+ 0.5+snapshot20151106-1 nftables -- "$@"
+
+dpkg-maintscript-helper rm_conffile \
+ /etc/init.d/nftables \
+ 0.6-1~ nftables -- "$@"
+
+#DEBHELPER#
diff --git a/debian/nftables.service b/debian/nftables.service
new file mode 100644
index 0000000..b545e31
--- /dev/null
+++ b/debian/nftables.service
@@ -0,0 +1,17 @@
+[Unit]
+Description=nftables
+Documentation=man:nft(8) http://wiki.nftables.org
+Before=network-pre.target
+
+[Service]
+Type=oneshot
+RemainAfterExit=yes
+StandardInput=null
+ProtectSystem=full
+ProtectHome=true
+ExecStart=/usr/sbin/nft -f /etc/nftables.conf
+ExecReload=/usr/sbin/nft -f /etc/nftables.conf
+ExecStop=/usr/sbin/nft flush ruleset
+
+[Install]
+WantedBy=network.target
diff --git a/debian/patches/reproducible.patch b/debian/patches/reproducible.patch
new file mode 100644
index 0000000..4ef43c1
--- /dev/null
+++ b/debian/patches/reproducible.patch
@@ -0,0 +1,30 @@
+From: Arturo Borrero Gonzalez <arturo@debian.org>
+Subject: Allow nftables reproducible build
+ This patch allows nftables to have reproducible build as seen by
+ the service at reproducible.debian.net.
+ .
+ Currently, the only fix is for docbook2x which embeds the current date
+ by default into generated manpages.
+ .
+ More info on this at:
+ https://wiki.debian.org/ReproducibleBuilds/TimestampsInManpagesGeneratedByDocbook2x
+Forwarded: not-needed
+Last-Update: 2015-04-29
+
+--- a/doc/Makefile.am
++++ b/doc/Makefile.am
+@@ -8,11 +8,13 @@
+
+ pdfdir=${docdir}/pdf
+
++BUILD_DATE=$(shell dpkg-parsechangelog -l../debian/changelog -S Date | LC_ALL=C date -u "+%d %B %Y" -f -)
++
+ .xml.pdf:
+ ${AM_V_GEN}dblatex -q -t pdf -o $@ $<
+
+ .xml.8:
+- ${AM_V_GEN}${DB2MAN} --xinclude $<
++ ${AM_V_GEN}${DB2MAN} --string-param header-3="$(BUILD_DATE)" --xinclude $<
+
+ EXTRA_DIST = nft.xml
+
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 0000000..038ee28
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1 @@
+reproducible.patch
diff --git a/debian/rules b/debian/rules
new file mode 100755
index 0000000..00e14b8
--- /dev/null
+++ b/debian/rules
@@ -0,0 +1,45 @@
+#!/usr/bin/make -f
+
+export DEB_BUILD_MAINT_OPTIONS = hardening=+all
+
+# Uncomment this to turn on verbose mode.
+#export DH_VERBOSE=1
+
+configure_opts := --prefix=/usr --sysconfdir=/etc --mandir=/usr/share/man --disable-silent-rules --with-xtables
+
+override_dh_auto_configure:
+ ./configure $(configure_opts) --
+
+%:
+ dh $@ --with autoreconf,systemd
+
+override_dh_fixperms:
+ dh_fixperms
+ chmod a+x debian/nftables/etc/nftables.conf
+
+override_dh_systemd_enable:
+ dh_systemd_enable --no-enable
+
+override_dh_systemd_start:
+ dh_systemd_start --no-start
+
+# https://wiki.debian.org/DebugPackage
+.PHONY: override_dh_strip
+override_dh_strip:
+ dh_strip --dbgsym-migration='nftables-dbg (<< 0.7~)'
+
+override_dh_auto_install:
+ dh_auto_install --destdir=debian/nftables
+
+ # upstream examples are installed in by the 'install' target to '/etc/nftables'
+ mkdir -p debian/nftables/usr/share/doc/nftables/examples/syntax
+ mv debian/nftables/etc/nftables/* debian/nftables/usr/share/doc/nftables/examples/syntax/
+ rm -rf debian/nftables/etc/nftables
+
+override_dh_installdocs:
+ dh_installdocs --link-doc=nftables
+
+override_dh_installinit:
+ # dh_installinit will try to mess with /etc/init.d/nftables in
+ # the maintainer scripts, but we don't ship it
+ dh_installinit -n
diff --git a/debian/source/format b/debian/source/format
new file mode 100644
index 0000000..163aaf8
--- /dev/null
+++ b/debian/source/format
@@ -0,0 +1 @@
+3.0 (quilt)
diff --git a/debian/source/options b/debian/source/options
new file mode 100644
index 0000000..9060822
--- /dev/null
+++ b/debian/source/options
@@ -0,0 +1,2 @@
+# Don't store changes on autogenerated files
+extend-diff-ignore = "(^|/)(compile|config\.sub|config\.guess|Makefile|configure|Makefile\.in|aclocal.m4|config.h.in|depcomp|INSTALL|install-sh|ltmain.sh|missing||libtool.m4|lt~obsolete.m4|ltoptions.m4|ltsugar.m4|ltversion.m4|.Po)"
diff --git a/debian/tests/control b/debian/tests/control
new file mode 100644
index 0000000..ecb49cb
--- /dev/null
+++ b/debian/tests/control
@@ -0,0 +1,15 @@
+Test-Command: nft -h
+Depends: @
+Restrictions: needs-root
+
+Tests: internaltest-shell.sh
+Depends: @, kmod
+Restrictions: needs-root, allow-stderr, isolation-container
+
+Tests: internaltest-py.sh
+Depends: @, python
+Restrictions: needs-root, allow-stderr, isolation-container, build-needed
+
+Tests: systemd-service-test.sh
+Depends: @, systemd
+Restrictions: needs-root, allow-stderr, isolation-container
diff --git a/debian/tests/internaltest-py.sh b/debian/tests/internaltest-py.sh
new file mode 100644
index 0000000..447687f
--- /dev/null
+++ b/debian/tests/internaltest-py.sh
@@ -0,0 +1,15 @@
+#!/bin/sh
+
+# Run the internal tests of nftables (py)
+
+echo "W: Not running this testsuite due to missing dummy module"
+exit 0
+
+# The testsuite requires kernel at least 4.x
+if [ "$(uname -r | cut -d. -f1)" -lt 4 ] ; then
+ echo "W: This testsuite is likely to produce many fails because of old kernel"
+fi
+
+set -e
+cd tests/py
+NFT=$(which nft) ./nft-test.py
diff --git a/debian/tests/internaltest-shell.sh b/debian/tests/internaltest-shell.sh
new file mode 100644
index 0000000..89215a1
--- /dev/null
+++ b/debian/tests/internaltest-shell.sh
@@ -0,0 +1,13 @@
+#!/bin/sh
+
+# Run the internal tests of nftables (shell)
+
+# The testsuite requires kernel at least 4.x
+if [ "$(uname -r | cut -d. -f1)" -lt 4 ] ; then
+ echo "W: this testsuite is likely to produce many fails because of old kernel, ending now"
+ exit 0
+fi
+
+set -e
+cd tests/shell
+./run-tests.sh -v
diff --git a/debian/tests/systemd-service-test.sh b/debian/tests/systemd-service-test.sh
new file mode 100644
index 0000000..9f8d7c7
--- /dev/null
+++ b/debian/tests/systemd-service-test.sh
@@ -0,0 +1,72 @@
+#!/bin/sh
+
+set -ex
+
+SERVICE=nftables.service
+
+# The testsuite requires kernel at least 4.x
+if [ "$(uname -r | cut -d. -f1)" -lt 4 ] ; then
+ : WARNING this testsuite is likely to produce many fails because of old kernel, ending now
+ exit 0
+fi
+
+systemctl_call()
+{
+ if systemctl $1 $SERVICE ; then
+ return 0
+ else
+ journalctl -u $SERVICE
+ return 1
+ fi
+}
+
+# package ships service disabled by default
+if ! systemctl_call enable ; then
+ : WARNING enabling the service failed
+fi
+
+if systemctl -q is-active $SERVICE ; then
+ : WARNING initial service running, stopping now
+ if ! systemctl_call stop ; then
+ : ERROR unable to stop the initial service
+ exit 1
+ fi
+fi
+
+if [ $(nft list ruleset | wc -l) -ne 0 ] ; then
+ : WARNING initial ruleset is not empty, flushing now
+ nft flush ruleset
+fi
+
+if ! systemctl_call start ; then
+ : ERROR failed to start systemd service
+ exit 1
+fi
+if [ $(nft list ruleset | wc -l) -eq 0 ] ; then
+ : ERROR no ruleset loaded after systemd service start
+ exit 1
+fi
+
+systemctl_call status
+nft list ruleset
+
+if ! systemctl_call stop ; then
+ : ERROR failed to stop systemd service
+ exit 1
+fi
+if [ $(nft list ruleset | wc -l) -ne 0 ] ; then
+ : ERROR ruleset still loaded after systemd service stop
+ exit 1
+fi
+
+if ! systemctl_call restart ; then
+ : ERROR failed to restart systemd service
+ exit 1
+fi
+if [ $(nft list ruleset | wc -l) -eq 0 ] ; then
+ : ERROR no ruleset loaded after systemd service restart
+ exit 1
+fi
+
+: INFO test was OK
+exit 0
diff --git a/debian/upstream/signing-key.asc b/debian/upstream/signing-key.asc
new file mode 100644
index 0000000..b2b4493
--- /dev/null
+++ b/debian/upstream/signing-key.asc
@@ -0,0 +1,56 @@
+-----BEGIN PGP PUBLIC KEY BLOCK-----
+Version: GnuPG v1.4.10 (GNU/Linux)
+
+mQINBEzAS5EBEADVlGm+KwODJcVmP33HTCbn/eP8obZbgu+3Z1CYRklF8V43vC6D
+8Jfk7fjD4/gWbAKZxriOESXVAN7mp0Fho4+Ga+pxWeLIET9tVM5xbNFK1p9R3XCK
+p5SrugG+tGhizTR9b/1YCMVRz/yX3aDtC7lwObas4hkr5BqhphjvlkjFE7us32by
+43LPpFj2yUpp1VdOf6gxl03kAgJg08h9J7a+n9KHQeAhIpXSRFq3tXiTdXQlovsv
+ckwBjO0m8P2d1Z8/UYwXQgXzuO8W8EqaUSR95nDwl7UnilnKJm2fGvNg3A6PfCSk
+3KdeEBZ45SRfMTPsuC5C4T0Az75h3HFR6YSae46ymg7d4ZA/Bd5K4hvp4PdYrfCi
+GXen7iK9q5XDpopWb0yCrEVJzKjBjDurvpLtAD0IFWcpB6zwM38AnxVH05J8QOx/
+VCZ4vZJxTKWbpHbdcISSMmVt00VfKorF9DsjiAcBRMBcIvDpJTP4yjvr32W09wLc
+d5CIYGrLKhLNysUIJ44AQoTL9yV5aQvCb2EFnoPqCEKQm8onTAGX19PpTDjDPJFt
+WyMMUDtiMp2yODuFo1qHjxvqzSVX+Ti2sGpiT1hEz97GAIlbAvmXs/bTb+U+rBnd
+6027ooes3cWmBSV5kpz/sMp+nFynrLZ5NDnehPScz3W31oGgSdrGsnnhaQARAQAB
+tCxOZXRmaWx0ZXIgQ29yZSBUZWFtIDxjb3JldGVhbUBuZXRmaWx0ZXIub3JnPokC
+PgQTAQIAKAUCTMBLkQIbAwUJCWYBgAYLCQgHAwIGFQgCCQoLBBYCAwECHgECF4AA
+CgkQpBEfibtfWMzULxAAtGgYeuEqk0F9y4sz6hFJf+fXKSPPrwWTIUXs/sCxlBtS
+lgf9oTvk3aT48zsMIfsDsS8yfIUjaK+eedIZW3oJ0lBtwRncZKjks8Od5J7DvEhR
+Kpo3cajT1KXJh584IvXN0/BbCdPUI6EQE8n0fEUrSWANfzhuD3qYtX9UUGBq/7i8
+Cf3pGFDeYRjcwWeNZ1T+xbaCKPS5BGlOVhMtauaTBZvTJniB828bOZXd3KrXUeul
+AicbzZzqU7XcNX2YKw19MTQzuGNZQ3npJUPQiHgyELTh3+YUmRkPaZaZiDNZeQvu
+/j8cgSoa26Q48apjghREo0Ues4MwQwEGBbdVkEQQMuC9ASti3OyZBTOqyApc2rpE
+VsW2CkqvoQ8jaP51Ua4mjerYkqEqXaVtbPelNFMJXGNXrKdf0xg5Nl/onWnT9S/s
+jtR3LtjOQ0apbBiGPROtYKWSQtA55TgYNLLS1+947TvU134Px1FA8Dqi72SBl7Xc
+ET4nwISO222wMJBxbY4MYB2TppMysIKXUazIyekbRkpK1woH4AR6NsuJOiVdhjEi
+46MkN7tmHI9S9blA98Ih6C9hMz2YgmQEwOQ0qYgVruPdYZSP+M5o+pra9ch+STBk
+FbB03L9kqcAAE8wpGSBRYU+KuyVRipnPeqoeR8niO71AiKbsfbL1skTGRafC2Q+I
+RgQQEQIABgUCTMBMKAAKCRBdpcZVMPSL/9JZAKCAfvIWVNimXJT07aVS6gYpiX7I
+nwCgov7DU5Xo84ReYfaphrwDALsEwfWIRgQQEQIABgUCTMBNyAAKCRBbjaaHD6d0
+2asaAJkBVsUSeihHASzntD0+T5PnW1SKlQCgkPYE6YduynCil6lIBmZEk0iaDMaI
+RgQQEQIABgUCTMBN8gAKCRBBh/hlLQmH5pxNAKCNGomg6w+J+OkF08UgweQnxq4f
+AgCfS/hNLDmcpCflT1cU2imBiFoGzLu5Ag0ETMBLkQEQANNv2Ymm/BVxwqb1vrLq
+1scoWK5kmeaRD3ndMBv9F3xwqGnE/JTnHnVoZIzGb8MD+MCe9jfm8Y+NLU0D71Np
+DDqRzFZCCjcTmRMYV6QXlsg/ndnSaU1bhG0gSq4N+qZFZ+35yiY5pYv1qZkIqWr4
+/vg9mk53CU620bNgNJ1+F19s/eTw1231pJ6K6BsDi7pj4LXGD5wHZPKAmLabFweC
+kGbGQo6VwWw1ieNJ0igvzkZtVXuvoeHUmAitCaZT9AIYDl4PHryckIzjgTdhK0PP
+92fyHV64Yr3B7G6hWlEwq4wKk9irdgqD20Fuqw8Cvv6k1YucWfdpNbZkUI3siQE+
+1HUUuRTcT8yrPcEA5ZM1/U+e8jBT3EArhk69G6LCfwyX2Xd/JGlBmc0Qv0t2YKqj
+9Io1G5lBN1q57+vK7ttiIUomwvfD2ltY0bdcEr5LjXOk3Sb+OPIVm7+vr6hDMKdU
+pdm5ABZRSUb0RJ37hBT+DKYbnp0t/e3aMXxV9m3jUq8hNdwc8vU1khr9kf+MWPon
+E0Vw2kqHIIb4I5W9HkMJf4Vzj9/hVPMIucV+2de/7zqxwa0Jh5VSD7SeKj7LznsA
+y9gi/AioYq4AKVTsigfyJlWpjOLeOvv7z4uUfLRQ5OWWfX8BBw8SoPwnWQD4cXHk
+rHXVwYR2yy7pEc1CstUN+uqXABEBAAGJAiUEGAECAA8FAkzAS5ECGwwFCQlmAYAA
+CgkQpBEfibtfWMyLqw/6A12S4bnLYaikToKc13ywTUsHplbmlLOy2E/5ZMksdfuW
+jh9XTMR0nbXWnFULxGKTP00kA0yVpv/jbeDY/qLzY2Yb0rROCQJjuWSLYuNW40+H
+mh9TGsDWt7iK3XsONVpV0sRsMOBCwV3k2EsFXu73Fj+1JvQ+WSGluj+N7HFAqPi5
+OFk3IFFnIGhScUz22V6meSaOEqiXLySgqh3lv7+XuGzoBjdy7dDm+SnbmK9lO1Iq
+PsIm4iDwmTNJBiu1Wrz319kLYA0/Vx+ofmxyViOX1GZShb1mGH0Aeo4jeYmDNLXa
+pkoymC3HCIMctYDmuIw6QlgG8i1LRcFhVKMngLjZ17dl/w8gYOdkCsGIUBzvbFBh
+xuJnXMnFVyDxft/lorMAimH2kbjDn6qaH0uV8ILfFVe6gnKzanugmaSQjWzby/AR
+Phs6OYAXoIUv5MUVDgvTzVmTckWjVa1RkMm3eGmDSqoMxsPmarb80nkoFQMOPhJW
+lyaUCt6HHRYuSkIcxY4H4Ni3Oq1s1R9/EqUuIfxNv7Kp0mcsE2KvANc3JfB9wXwL
+WqDYRCifLkCD6pbpt9L/+xQ49VzcFxNO9DqTyk4N7cz7OZrAi+ouVrdFuiwnZyn5
+YSQoof6Pos58b3bkFn14m9gofwTqGzPhR4Vot9rRu5zrWdoCM4cRThpJyrjqBMs=
+=nwmO
+-----END PGP PUBLIC KEY BLOCK-----
diff --git a/debian/watch b/debian/watch
new file mode 100644
index 0000000..a1fde19
--- /dev/null
+++ b/debian/watch
@@ -0,0 +1,2 @@
+version=3
+opts=pgpsigurlmangle=s/$/.sig/ http://ftp.netfilter.org/pub/nftables/nftables-(\S+).tar.bz2