add nftables hints, fix generation scripts

LDP/users/Peter-Bieringer/Linux+IPv6-HOWTO.de.lyx

@@ -1,5 +1,5 @@
-#LyX 2.0 created this file. For more info see http://www.lyx.org/
-\lyxformat 413
+#LyX 2.1 created this file. For more info see http://www.lyx.org/
+\lyxformat 474
 \begin_document
 \begin_header
 \textclass docbook-book
@@ -16,13 +16,13 @@
 \font_roman default
 \font_sans default
 \font_typewriter default
+\font_math auto
 \font_default_family default
 \use_non_tex_fonts false
 \font_sc false
 \font_osf false
 \font_sf_scale 100
 \font_tt_scale 100
-
 \graphics default
 \default_output_format default
 \output_sync 0
@@ -33,15 +33,24 @@
 \use_hyperref false
 \papersize default
 \use_geometry false
-\use_amsmath 1
-\use_esint 0
-\use_mhchem 1
-\use_mathdots 1
+\use_package amsmath 1
+\use_package amssymb 1
+\use_package cancel 0
+\use_package esint 0
+\use_package mathdots 1
+\use_package mathtools 0
+\use_package mhchem 1
+\use_package stackrel 0
+\use_package stmaryrd 0
+\use_package undertilde 0
 \cite_engine basic
+\cite_engine_type default
+\biblio_style plain
 \use_bibtopic false
 \use_indices false
 \paperorientation portrait
 \suppress_date false
+\justification true
 \use_refstyle 0
 \index Stichwortverzeichnis
 \shortcut idx
@@ -107,7 +116,7 @@ status open
 
 \begin_layout Plain Layout
 
-<revision> <revnumber>0.66wip.de.1</revnumber> <date>2013-11-12</date> <authoriniti
+<revision> <revnumber>0.66wip.de.1</revnumber> <date>2014-05-02</date> <authoriniti
 als>PB</authorinitials></revision>
 \end_layout
 
@@ -247,7 +256,7 @@ Copyright
 \end_layout
 
 \begin_layout Standard
-Verfasst von und urheberrechtlich geschützt durch Peter Bieringer © 2001-2013.
+Verfasst von und urheberrechtlich geschützt durch Peter Bieringer © 2001-2014.
 \begin_inset Newline newline
 \end_inset
 
@@ -260,7 +269,7 @@ Deutsche Übersetzung:
 
 \begin_layout Standard
 Verfasst von und urheberrechtlich geschützt durch Georg Käfer © 2002-2003,
- weitergeführt von Peter Bieringer © 2004-2013.
+ weitergeführt von Peter Bieringer © 2004-2014.
 \end_layout
 
 \begin_layout Subsection
@@ -290,7 +299,7 @@ Dieses Linux IPv6 HOWTO ist ein Handbuch zur Anwendung und Konfiguration
 \end_layout
 
 \begin_layout Standard
-Copyright © 2001-2013 Peter Bieringer
+Copyright © 2001-2014 Peter Bieringer
 \begin_inset Newline newline
 \end_inset
 
@@ -10980,8 +10989,22 @@ reference "IPv6-security-auditing"
 \begin_layout Standard
 
 \lang english
-Kernels ab Version 2.6.20 unterstützen den IPv6-Verbindungsstatus (connection
- tracking) vollständig.
+Kernels ab Version 2.6.20 (Februar 2007) unterstützen den IPv6-Verbindungsstatus
+ (connection tracking) vollständig.
+\end_layout
+
+\begin_layout Standard
+
+\lang english
+Kernels ab Version 3.9.0 (April 2013) unterstützen NAT für IPv6 in Verbindung
+ mit ip6tables >= 1.4.18
+\end_layout
+
+\begin_layout Standard
+
+\lang english
+Kernels ab Version 3.13 (April 2014) unterstützen ein neues Framework namens:
+ nftables
 \end_layout
 
 \begin_layout Subsection
@@ -12707,6 +12730,355 @@ Ein dedizierter Port kann zu einem internen System weitergeleitet werden,
 nation [fec0::1234]:80
 \end_layout
 
+\begin_layout Section
+
+\lang english
+Firewall-Setup mit nftables
+\end_layout
+
+\begin_layout Standard
+
+\lang english
+Mit nftables wurde die Unterstützung einer Tabelle names 
+\begin_inset Quotes sld
+\end_inset
+
+inet
+\begin_inset Quotes srd
+\end_inset
+
+ eingeführt in welcher Regeln für IPv4/IPv6 gleichzeitig gelten
+\end_layout
+
+\begin_layout Subsection
+
+\lang english
+Präparation zur Nutzung von nftables
+\end_layout
+
+\begin_layout Standard
+
+\lang english
+Installieren einer Linux-Distribution, welche die Unterstützung für nftables
+ bereits eingebaut hat.
+ Beim Schreiben dieses Absatzes (Mai 2014) war mindestens Fedora Rawhide
+ (Vorläufer der Version 21) mit entsprechendem Support und nftables version
+ 0.2.0 versehen.
+\end_layout
+
+\begin_layout Subsection
+
+\lang english
+Basis-nftables Konfiguration
+\end_layout
+
+\begin_layout Standard
+
+\lang english
+Laden der Kernel-Module
+\end_layout
+
+\begin_layout Code
+
+# modprobe nf_tables
+\end_layout
+
+\begin_layout Code
+
+# modprobe nf_tables_ipv4
+\end_layout
+
+\begin_layout Code
+
+# modprobe nf_tables_ipv6
+\end_layout
+
+\begin_layout Code
+
+# modprobe nf_tables_inet 
+\end_layout
+
+\begin_layout Standard
+
+\lang english
+Erzeugen der Filter-Tabellen
+\end_layout
+
+\begin_layout Code
+
+# nft add table ip   filter
+\end_layout
+
+\begin_layout Code
+
+# nft add table ip6  filter
+\end_layout
+
+\begin_layout Code
+
+# nft add table inet filter 
+\end_layout
+
+\begin_layout Standard
+
+\lang english
+Erzeugen einer input chain in jeder Filter-Tabelle
+\end_layout
+
+\begin_layout Code
+
+# nft add chain ip   filter input { type filter hook input priority 1 
+\backslash
+; }
+\end_layout
+
+\begin_layout Code
+
+# nft add chain ip6  filter input { type filter hook input priority 1 
+\backslash
+; } 
+\end_layout
+
+\begin_layout Code
+
+# nft add chain inet filter input { type filter hook input priority 0 
+\backslash
+; }
+\end_layout
+
+\begin_layout Subsection
+
+\lang english
+Einfache Filter-Policy mit nftables
+\end_layout
+
+\begin_layout Subsubsection
+
+\lang english
+Konfiguration
+\end_layout
+
+\begin_layout Standard
+
+\lang english
+Erlauben von Paketen, die zu existierenden Einträgen in der Connection-Tracking-
+Tabelle gehören
+\end_layout
+
+\begin_layout Code
+
+# nft add rule inet filter input ct state established,related counter accept
+ 
+\end_layout
+
+\begin_layout Standard
+
+\lang english
+Erlauben von IPv4 und IPv6 ICMP echo-request (aka ping)
+\end_layout
+
+\begin_layout Code
+
+# nft add rule ip filter input icmp type { echo-request } counter accept
+ 
+\end_layout
+
+\begin_layout Code
+
+# nft add rule ip6 filter input icmpv6 type echo-request counter accept
+ 
+\end_layout
+
+\begin_layout Standard
+
+\lang english
+Erlauben einiger wichtiger IPv6 ICMP Pakete, ohne Zähler, dafür mit Hop-Limit-Pr
+üfung (erhöht die Sicherheit)
+\end_layout
+
+\begin_layout Code
+
+# nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, nd-router-adv
+ert, nd-neighbor-advert } ip6 hoplimit 1 accept # nft add rule ip6 filter
+ input icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert
+ } ip6 hoplimit 255 accept
+\end_layout
+
+\begin_layout Standard
+
+\lang english
+Erlauben von eingehenden SSH-Verbindungen für IPv4 und IPv6 unter Nutzung
+ der IP-Version unabhängigen Tabelle 
+\begin_inset Quotes sld
+\end_inset
+
+inet
+\begin_inset Quotes srd
+\end_inset
+
+
+\end_layout
+
+\begin_layout Code
+
+# nft add rule inet filter input tcp dport 22 ct state new tcp flags 
+\backslash
+& 
+\backslash
+(syn 
+\backslash
+| ack
+\backslash
+) == syn counter accept
+\end_layout
+
+\begin_layout Subsubsection
+
+\lang english
+Ergebnis
+\end_layout
+
+\begin_layout Standard
+
+\lang english
+Tabelle für IPv4 Filter
+\end_layout
+
+\begin_layout Code
+
+# nft list table ip filter
+\end_layout
+
+\begin_layout Code
+
+table ip filter {
+\end_layout
+
+\begin_layout Code
+
+	chain input {
+\end_layout
+
+\begin_layout Code
+
+		 type filter hook input priority 1;
+\end_layout
+
+\begin_layout Code
+
+		 icmp type { echo-request} counter packets 0 bytes 0 accept
+\end_layout
+
+\begin_layout Code
+
+	}
+\end_layout
+
+\begin_layout Code
+
+}
+\end_layout
+
+\begin_layout Standard
+
+\lang english
+Tabelle für IPv6 Filter
+\end_layout
+
+\begin_layout Code
+
+# nft list table ip6 filter
+\end_layout
+
+\begin_layout Code
+
+table ip6 filter {
+\end_layout
+
+\begin_layout Code
+
+	chain input {
+\end_layout
+
+\begin_layout Code
+
+		 type filter hook input priority 1;
+\end_layout
+
+\begin_layout Code
+
+		 icmpv6 type echo-request counter packets 0 bytes 0 accept
+\end_layout
+
+\begin_layout Code
+
+		 ip6 hoplimit 1 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit,
+ nd-router-advert} accept
+\end_layout
+
+\begin_layout Code
+
+		 ip6 hoplimit 255 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit,
+ nd-router-advert} accept
+\end_layout
+
+\begin_layout Code
+
+	}
+\end_layout
+
+\begin_layout Code
+
+}
+\end_layout
+
+\begin_layout Standard
+
+\lang english
+Tabelle für IP unabhängigen Filter
+\end_layout
+
+\begin_layout Code
+
+# nft list table inet filter
+\end_layout
+
+\begin_layout Code
+
+table inet filter {
+\end_layout
+
+\begin_layout Code
+
+	chain input {
+\end_layout
+
+\begin_layout Code
+
+		 type filter hook input priority 0;
+\end_layout
+
+\begin_layout Code
+
+		 ct state established,related counter packets 44 bytes 2288 accept
+\end_layout
+
+\begin_layout Code
+
+		 tcp dport ssh ct state new tcp flags & (syn | ack) == syn counter packets
+ 0 bytes 0 accept
+\end_layout
+
+\begin_layout Code
+
+	}
+\end_layout
+
+\begin_layout Code
+
+} 
+\end_layout
+
 \begin_layout Chapter
 \begin_inset CommandInset label
 LatexCommand label
@@ -20858,7 +21230,7 @@ Die größten Mailinglisten sind in folgender Tabelle zusammengefasst:
 \begin_layout Standard
 \begin_inset Tabular
 <lyxtabular version="3" rows="8" columns="6">
-<features rotate="true" tabularvalignment="middle">
+<features rotate="90" tabularvalignment="middle">
 <column alignment="center" valignment="top" width="0pt">
 <column alignment="center" valignment="top" width="0pt">
 <column alignment="center" valignment="top" width="0pt">

LDP/users/Peter-Bieringer/Linux+IPv6-HOWTO.de.sgml

@@ -7,14 +7,14 @@
 <!ENTITY % output.print.bmp "IGNORE">
  ]>
 
-<!-- SGML file was created by LyX 2.0.6
+<!-- SGML file was created by LyX 2.1.0
   See http://www.lyx.org/ for more information -->
 <book lang="de">
 <bookinfo>
 <title>Linux IPv6 HOWTO (de)</title>
 <author><firstname>Peter</firstname><surname>Bieringer</surname><affiliation><address>pb at bieringer dot de</address></affiliation></author>
 <revhistory> 
-<revision> <revnumber>0.66wip.de.1</revnumber> <date>2013-11-12</date> <authorinitials>PB</authorinitials></revision>
+<revision> <revnumber>0.66wip.de.1</revnumber> <date>2014-05-02</date> <authorinitials>PB</authorinitials></revision>
 <revision> <revnumber>0.65.de.1</revnumber> <date>2009-12-13</date> <authorinitials>PB</authorinitials></revision>
 <revision> <revnumber>0.64.de.1</revnumber> <date>2009-06-11</date> <authorinitials>PB</authorinitials></revision>
 <revision> <revnumber>0.61.de.1</revnumber> <date>2007-10-06</date> <authorinitials>PB</authorinitials></revision>
@@ -26,16 +26,16 @@
 <title><!-- anchor id="general-copright" -->Copyright, Lizenz und anderes</title>
 <sect2>
 <title>Copyright</title>
-<para>Verfasst von und urheberrechtlich geschützt durch Peter Bieringer © 2001-2013.
+<para>Verfasst von und urheberrechtlich geschützt durch Peter Bieringer © 2001-2014.
 </para>
 <para>Deutsche Übersetzung:</para>
-<para>Verfasst von und urheberrechtlich geschützt durch Georg Käfer © 2002-2003, weitergeführt von Peter Bieringer © 2004-2013.</para></sect2><sect2>
+<para>Verfasst von und urheberrechtlich geschützt durch Georg Käfer © 2002-2003, weitergeführt von Peter Bieringer © 2004-2014.</para></sect2><sect2>
 <title>Lizenz</title>
 <para>Dieses Linux IPv6 HOWTO wird unter der GNU GPL Version 2 herausgegeben:
 </para>
 <para>Dieses Linux IPv6 HOWTO ist ein Handbuch zur Anwendung und Konfiguration von IPv6 auf Linux-Systemen. 
 </para>
-<para>Copyright © 2001-2013 Peter Bieringer
+<para>Copyright © 2001-2014 Peter Bieringer
 Deutsche Übersetzung Copyright © 2002-2003 Georg Käfer, weitergeführt von Peter Bieringer © 2004-2013.
 </para>
 <para>Diese Dokumentation ist freie Software; Sie können diese unter den Bedingungen der GNU General Public License, wie von der Free Software Foundation publiziert, entweder unter Version 2 oder optional jede höhere Version redistribuieren und/oder modifizieren.</para>
@@ -1624,7 +1624,9 @@ In Version 8.x wurde das Konfigurations-Setup bei SuSE komplett abgeändert.</pa
 <para>Von Haus aus unterstützt wird die IPv6-Firewall-Funktionalität im Kernel erst ab Version 2.4+. In älteren 2.2+ Versionen können sie nur mit Protocol 41 das generelle Tunnel von IPv6-in-IPv4-Paketen filtern.</para>
 <para>Achtung: Es gibt keine Garantie, dass die beschriebenen Regeln und Beispiele ihr System auch wirklich schützen können!</para>
 <para>Beobachten Sie nach der Installation ihr Regelset, siehe Abschnitt <xref linkend="IPv6-security-auditing">.</para>
-<para>Kernels ab Version 2.6.20 unterstützen den IPv6-Verbindungsstatus (connection tracking) vollständig.</para><sect2>
+<para>Kernels ab Version 2.6.20 (Februar 2007) unterstützen den IPv6-Verbindungsstatus (connection tracking) vollständig.</para>
+<para>Kernels ab Version 3.9.0 (April 2013) unterstützen NAT für IPv6 in Verbindung mit ip6tables &gt;= 1.4.18</para>
+<para>Kernels ab Version 3.13 (April 2014) unterstützen ein neues Framework namens: nftables</para><sect2>
 <title>Weitere Informationen</title>
 <itemizedlist>
 <listitem><para><ulink url="http://www.netfilter.org/">Netfilter project</ulink></para></listitem><listitem><para><ulink url="https://lists.netfilter.org/mailman/listinfo/netfilter">maillist archive of netfilter users</ulink></para></listitem><listitem><para><ulink url="https://lists.netfilter.org/mailman/listinfo/netfilter-devel">maillist archive of netfilter developers</ulink></para></listitem><listitem><para><ulink url="http://www.bieringer.de/linux/IPv6/status/IPv6+Linux-status-kernel.html#netfilter6 ">Unofficial status informations</ulink></para></listitem></itemizedlist></sect2></sect1><sect1>
@@ -1972,7 +1974,68 @@ Chain intOUT (1 references)
 <title>IPv6 Port Weiterleitung</title>
 <para>Ein dedizierter Port kann zu einem internen System weitergeleitet werden, z.B.</para><screen>
 <![CDATA[# ip6tables -t nat -A PREROUTING -i sixxs -p tcp --dport 8080 -j DNAT --to-destination [fec0::1234]:80
-]]></screen></sect2></sect1></chapter><chapter id='chapter-security' >
+]]></screen></sect2></sect1><sect1>
+<title>Firewall-Setup mit nftables</title>
+<para>Mit nftables wurde die Unterstützung einer Tabelle names &ldquo;inet&rdquo; eingeführt in welcher Regeln für IPv4/IPv6 gleichzeitig gelten</para><sect2>
+<title>Präparation zur Nutzung von nftables</title>
+<para>Installieren einer Linux-Distribution, welche die Unterstützung für nftables bereits eingebaut hat. Beim Schreiben dieses Absatzes (Mai 2014) war mindestens Fedora Rawhide (Vorläufer der Version 21) mit entsprechendem Support und nftables version 0.2.0 versehen.</para></sect2><sect2>
+<title>Basis-nftables Konfiguration</title>
+<para>Laden der Kernel-Module</para><screen>
+<![CDATA[# modprobe nf_tables
+# modprobe nf_tables_ipv4
+# modprobe nf_tables_ipv6
+# modprobe nf_tables_inet 
+]]></screen><para>Erzeugen der Filter-Tabellen</para><screen>
+<![CDATA[# nft add table ip   filter
+# nft add table ip6  filter
+# nft add table inet filter 
+]]></screen><para>Erzeugen einer input chain in jeder Filter-Tabelle</para><screen>
+<![CDATA[# nft add chain ip   filter input { type filter hook input priority 1 \; }
+# nft add chain ip6  filter input { type filter hook input priority 1 \; } 
+# nft add chain inet filter input { type filter hook input priority 0 \; }
+]]></screen></sect2><sect2>
+<title>Einfache Filter-Policy mit nftables</title>
+<sect3>
+<title>Konfiguration</title>
+<para>Erlauben von Paketen, die zu existierenden Einträgen in der Connection-Tracking-Tabelle gehören</para><screen>
+<![CDATA[# nft add rule inet filter input ct state established,related counter accept 
+]]></screen><para>Erlauben von IPv4 und IPv6 ICMP echo-request (aka ping)</para><screen>
+<![CDATA[# nft add rule ip filter input icmp type { echo-request } counter accept 
+# nft add rule ip6 filter input icmpv6 type echo-request counter accept 
+]]></screen><para>Erlauben einiger wichtiger IPv6 ICMP Pakete, ohne Zähler, dafür mit Hop-Limit-Prüfung (erhöht die Sicherheit)</para><screen>
+<![CDATA[# nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } ip6 hoplimit 1 accept # nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } ip6 hoplimit 255 accept
+]]></screen><para>Erlauben von eingehenden SSH-Verbindungen für IPv4 und IPv6 unter Nutzung der IP-Version unabhängigen Tabelle &ldquo;inet&rdquo;</para><screen>
+<![CDATA[# nft add rule inet filter input tcp dport 22 ct state new tcp flags \& \(syn \| ack\) == syn counter accept
+]]></screen></sect3><sect3>
+<title>Ergebnis</title>
+<para>Tabelle für IPv4 Filter</para><screen>
+<![CDATA[# nft list table ip filter
+table ip filter {
+	chain input {
+		 type filter hook input priority 1;
+		 icmp type { echo-request} counter packets 0 bytes 0 accept
+	}
+}
+]]></screen><para>Tabelle für IPv6 Filter</para><screen>
+<![CDATA[# nft list table ip6 filter
+table ip6 filter {
+	chain input {
+		 type filter hook input priority 1;
+		 icmpv6 type echo-request counter packets 0 bytes 0 accept
+		 ip6 hoplimit 1 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} accept
+		 ip6 hoplimit 255 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit, nd-router-advert} accept
+	}
+}
+]]></screen><para>Tabelle für IP unabhängigen Filter</para><screen>
+<![CDATA[# nft list table inet filter
+table inet filter {
+	chain input {
+		 type filter hook input priority 0;
+		 ct state established,related counter packets 44 bytes 2288 accept
+		 tcp dport ssh ct state new tcp flags & (syn | ack) == syn counter packets 0 bytes 0 accept
+	}
+} 
+]]></screen></sect3></sect2></sect1></chapter><chapter id='chapter-security' >
 <title><!-- anchor id="chapter-security" -->Sicherheit</title>
 <sect1>
 <title>Sicherheit des Knoten</title>

LDP/users/Peter-Bieringer/Linux+IPv6-HOWTO.lyx

@@ -1,5 +1,5 @@
-#LyX 2.0 created this file. For more info see http://www.lyx.org/
-\lyxformat 413
+#LyX 2.1 created this file. For more info see http://www.lyx.org/
+\lyxformat 474
 \begin_document
 \begin_header
 \textclass docbook-book
@@ -15,13 +15,13 @@
 \font_roman default
 \font_sans default
 \font_typewriter default
+\font_math auto
 \font_default_family default
 \use_non_tex_fonts false
 \font_sc false
 \font_osf false
 \font_sf_scale 100
 \font_tt_scale 100
-
 \graphics default
 \default_output_format default
 \output_sync 0
@@ -32,15 +32,24 @@
 \use_hyperref false
 \papersize default
 \use_geometry false
-\use_amsmath 1
-\use_esint 0
-\use_mhchem 1
-\use_mathdots 1
+\use_package amsmath 1
+\use_package amssymb 1
+\use_package cancel 0
+\use_package esint 0
+\use_package mathdots 1
+\use_package mathtools 0
+\use_package mhchem 1
+\use_package stackrel 0
+\use_package stmaryrd 0
+\use_package undertilde 0
 \cite_engine basic
+\cite_engine_type default
+\biblio_style plain
 \use_bibtopic false
 \use_indices false
 \paperorientation portrait
 \suppress_date false
+\justification true
 \use_refstyle 0
 \index Index
 \shortcut idx
@@ -102,7 +111,7 @@ status open
 
 \begin_layout Plain Layout
 
-<revision> <revnumber>0.66wip</revnumber> <date>2013-11-12</date> <authorinitials
+<revision> <revnumber>0.66wip</revnumber> <date>2014-05-02</date> <authorinitials
 >PB</authorinitials></revision>
 \end_layout
 
@@ -255,7 +264,7 @@ Copyright
 \end_layout
 
 \begin_layout Standard
-Written and Copyright (C) 2001-2013 by Peter Bieringer
+Written and Copyright (C) 2001-2014 by Peter Bieringer
 \end_layout
 
 \begin_layout Subsection
@@ -288,7 +297,7 @@ Copyright
 \lang ngerman
 ©
 \lang english
- 2001-2013 Peter Bieringer 
+ 2001-2014 Peter Bieringer 
 \begin_inset Newline newline
 \end_inset
 
@@ -10174,8 +10183,17 @@ reference "IPv6-security-auditing"
 \end_layout
 
 \begin_layout Standard
-Since kernel version 2.6.20 IPv6 connection tracking is fully working (and
- does not break IPv4 NAT anymore like versions before)
+Since kernel version 2.6.20 (February 2007) IPv6 connection tracking is fully
+ working (and does not break IPv4 NAT anymore like versions before)
+\end_layout
+
+\begin_layout Standard
+Since kernel version 3.9.0 (April 2013) NAT for IPv6 is supported with ip6tables
+ >= 1.4.18
+\end_layout
+
+\begin_layout Standard
+Since kernel version 3.13 (April 2014) new framework introduced named: nftables
 \end_layout
 
 \begin_layout Subsection
@@ -10560,7 +10578,7 @@ Perhaps it's necessary to create a softlink for iptables libraries where
 \end_layout
 
 \begin_layout Section
-Usage
+Usage of ip6tables
 \end_layout
 
 \begin_layout Subsection
@@ -11624,6 +11642,277 @@ A dedicated specified port can be forwarded to an internal system, e.g.
 nation [fec0::1234]:80
 \end_layout
 
+\begin_layout Section
+Firewalling using nftables
+\end_layout
+
+\begin_layout Standard
+nftables adds support for a IPv4/IPv6 aware table named 
+\begin_inset Quotes sld
+\end_inset
+
+inet
+\begin_inset Quotes srd
+\end_inset
+
+, here only one rule matches both protocols
+\end_layout
+
+\begin_layout Subsection
+Preparation for nftables usage
+\end_layout
+
+\begin_layout Standard
+Install a Linux distribution which has nftables support already included.
+ At time of writing (May 2014) at least Fedora Rawhide (upcoming version
+ 21) has support in conjunction with nftables version 0.2.0.
+\end_layout
+
+\begin_layout Subsection
+Basic nftables configuration
+\end_layout
+
+\begin_layout Standard
+Load kernel modules
+\end_layout
+
+\begin_layout Code
+# modprobe nf_tables
+\end_layout
+
+\begin_layout Code
+# modprobe nf_tables_ipv4
+\end_layout
+
+\begin_layout Code
+# modprobe nf_tables_ipv6
+\end_layout
+
+\begin_layout Code
+# modprobe nf_tables_inet 
+\end_layout
+
+\begin_layout Standard
+Create filter tables
+\end_layout
+
+\begin_layout Code
+# nft add table ip   filter
+\end_layout
+
+\begin_layout Code
+# nft add table ip6  filter
+\end_layout
+
+\begin_layout Code
+# nft add table inet filter 
+\end_layout
+
+\begin_layout Standard
+Create input chain in each filter table
+\end_layout
+
+\begin_layout Code
+# nft add chain ip   filter input { type filter hook input priority 1 
+\backslash
+; }
+\end_layout
+
+\begin_layout Code
+# nft add chain ip6  filter input { type filter hook input priority 1 
+\backslash
+; } 
+\end_layout
+
+\begin_layout Code
+# nft add chain inet filter input { type filter hook input priority 0 
+\backslash
+; }
+\end_layout
+
+\begin_layout Subsection
+Simple filter policy with nftables
+\end_layout
+
+\begin_layout Subsubsection
+Configuration
+\end_layout
+
+\begin_layout Standard
+Allow packets which are related to existing connection tracking entries
+\end_layout
+
+\begin_layout Code
+# nft add rule inet filter input ct state established,related counter accept
+ 
+\end_layout
+
+\begin_layout Standard
+Allow IPv4 and IPv6 ICMP echo-request (aka ping)
+\end_layout
+
+\begin_layout Code
+# nft add rule ip filter input icmp type { echo-request } counter accept
+ 
+\end_layout
+
+\begin_layout Code
+# nft add rule ip6 filter input icmpv6 type echo-request counter accept
+ 
+\end_layout
+
+\begin_layout Standard
+Allow some important IPv6 ICMP traffic, without counter, but checking hop-limit
+ for security
+\end_layout
+
+\begin_layout Code
+# nft add rule ip6 filter input icmpv6 type { nd-neighbor-solicit, nd-router-adv
+ert, nd-neighbor-advert } ip6 hoplimit 1 accept # nft add rule ip6 filter
+ input icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert
+ } ip6 hoplimit 255 accept
+\end_layout
+
+\begin_layout Standard
+Allow incoming SSH for IPv4 and IPv6, using therefore the IP version aware
+ table 
+\begin_inset Quotes sld
+\end_inset
+
+inet
+\begin_inset Quotes srd
+\end_inset
+
+
+\end_layout
+
+\begin_layout Code
+# nft add rule inet filter input tcp dport 22 ct state new tcp flags 
+\backslash
+& 
+\backslash
+(syn 
+\backslash
+| ack
+\backslash
+) == syn counter accept
+\end_layout
+
+\begin_layout Subsubsection
+Result
+\end_layout
+
+\begin_layout Standard
+Table for IPv4 filter
+\end_layout
+
+\begin_layout Code
+# nft list table ip filter
+\end_layout
+
+\begin_layout Code
+table ip filter {
+\end_layout
+
+\begin_layout Code
+	chain input {
+\end_layout
+
+\begin_layout Code
+		 type filter hook input priority 1;
+\end_layout
+
+\begin_layout Code
+		 icmp type { echo-request} counter packets 0 bytes 0 accept
+\end_layout
+
+\begin_layout Code
+	}
+\end_layout
+
+\begin_layout Code
+}
+\end_layout
+
+\begin_layout Standard
+Table for IPv6 filter
+\end_layout
+
+\begin_layout Code
+# nft list table ip6 filter
+\end_layout
+
+\begin_layout Code
+table ip6 filter {
+\end_layout
+
+\begin_layout Code
+	chain input {
+\end_layout
+
+\begin_layout Code
+		 type filter hook input priority 1;
+\end_layout
+
+\begin_layout Code
+		 icmpv6 type echo-request counter packets 0 bytes 0 accept
+\end_layout
+
+\begin_layout Code
+		 ip6 hoplimit 1 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit,
+ nd-router-advert} accept
+\end_layout
+
+\begin_layout Code
+		 ip6 hoplimit 255 icmpv6 type { nd-neighbor-advert, nd-neighbor-solicit,
+ nd-router-advert} accept
+\end_layout
+
+\begin_layout Code
+	}
+\end_layout
+
+\begin_layout Code
+}
+\end_layout
+
+\begin_layout Standard
+Table for IP version aware filter
+\end_layout
+
+\begin_layout Code
+# nft list table inet filter
+\end_layout
+
+\begin_layout Code
+table inet filter {
+\end_layout
+
+\begin_layout Code
+	chain input {
+\end_layout
+
+\begin_layout Code
+		 type filter hook input priority 0;
+\end_layout
+
+\begin_layout Code
+		 ct state established,related counter packets 44 bytes 2288 accept
+\end_layout
+
+\begin_layout Code
+		 tcp dport ssh ct state new tcp flags & (syn | ack) == syn counter packets
+ 0 bytes 0 accept
+\end_layout
+
+\begin_layout Code
+	}
+\end_layout
+
+\begin_layout Code
+} 
+\end_layout
+
 \begin_layout Chapter
 \begin_inset CommandInset label
 LatexCommand label
@@ -27849,7 +28138,7 @@ Major Mailinglists are listed in following table:
 \begin_layout Standard
 \begin_inset Tabular
 <lyxtabular version="3" rows="8" columns="6">
-<features tabularvalignment="middle">
+<features rotate="0" tabularvalignment="middle">
 <column alignment="center" valignment="top" width="0pt">
 <column alignment="center" valignment="top" width="0pt">
 <column alignment="center" valignment="top" width="0pt">
@@ -28825,7 +29114,8 @@ Releases 0.x
 
 \begin_layout Description
 0.66 2010-04-20/PB: extend QoS section with examples, 20130513/PB: add IPv6
- NAT hints, 20130521/PB: review dhcpd, 20131019/bie: general review
+ NAT hints, 20130521/PB: review dhcpd, 20131019/bie: general review, 20140502/bi
+e: add hints for nftables
 \end_layout
 
 \begin_layout Description

LDP/users/Peter-Bieringer/generate-en-de.sh

@@ -5,7 +5,7 @@
 list="Linux+IPv6-HOWTO.sgml Linux+IPv6-HOWTO.de.sgml"
 
 for lyx in $list; do
-	./generate.sh $lyx
+	./generate.sh $lyx $*
 done
 
 echo -en "\a"

LDP/users/Peter-Bieringer/generate.sh

@@ -197,9 +197,9 @@ create_html_multipage() {
 }
 
 create_html_singlepage() {
-	echo "INFO  : Create HTML singlepage '$file_html'"
+	echo "INFO  : Create HTML singlepage '$file_html' from '$file_input'"
 	[ $loglevel -ge 7 ] && set -x
-	$JADE -t sgml -i html -V nochunks -d "${file_ldpdsl}#html" -o $file_html $file_input >/dev/null
+	$JADE -t sgml -i html -V nochunks -d "${file_ldpdsl}#html" $file_input >$file_html
 	local retval=$?
 	[ $loglevel -ge 7 ] && set +x