From 11a9486a8ccf71e2194076445bfea2fcc08bd1e7 Mon Sep 17 00:00:00 2001
From: zegonix <jonas.s97@gmx.ch>
Date: Mon, 17 Nov 2025 22:51:17 +0100
Subject: [PATCH] (network) moved dnsmasq configuration to `examples/network`,
 added `nftables.conf`

---
 dnsmasq.conf => examples/network/dnsmasq.conf |  0
 examples/network/nftables.conf                | 40 +++++++++++++++++++
 network.md                                    |  4 +-
 3 files changed, 42 insertions(+), 2 deletions(-)
 rename dnsmasq.conf => examples/network/dnsmasq.conf (100%)
 create mode 100644 examples/network/nftables.conf

diff --git a/dnsmasq.conf b/examples/network/dnsmasq.conf
similarity index 100%
rename from dnsmasq.conf
rename to examples/network/dnsmasq.conf
diff --git a/examples/network/nftables.conf b/examples/network/nftables.conf
new file mode 100644
index 0000000..eb9c460
--- /dev/null
+++ b/examples/network/nftables.conf
@@ -0,0 +1,40 @@
+#!/usr/sbin/nft -f
+
+# example configuration for a router
+
+define loop_interface = "lo"
+define wan_interface = "enp0s0"
+define lan_interface = "enp1s0"
+define local_network = 192.168.1.0/24
+
+flush ruleset
+
+table ip routing {
+    chain masquerading {
+        type nat hook postrouting priority 100; policy accept;
+        ip saddr { $local_network } ip daddr != { $local_network } oifname { $wan_interface } masquerade
+    }
+}
+
+table inet filter {
+    chain input {
+        type filter hook input priority 0; policy drop;
+        iif { $loop_interface } accept
+        iif { $lan_interface } accept
+        ct state { related, established } accept
+        ct state invalid drop
+        meta l4proto icmp accept
+        icmp type echo-request limit rate 5/second accept
+    }
+
+    chain output {
+        type filter hook output priority 0; policy accept;
+    }
+
+    chain forward {
+        type filter hook forward priority 0; policy drop;
+        ct state { related, established } accept
+        ct state invalid drop
+        iif { $lan_interface } accept
+    }
+}
diff --git a/network.md b/network.md
index 23bc902..53e1fde 100644
--- a/network.md
+++ b/network.md
@@ -91,11 +91,11 @@ table inet filter {
 
 ### starting the routing system
 
-Enable the services for `dnsmasq` and `nftables`.
+Enable the services for `dnsmasq`, `nftables` and the network manager of choice.
 On a system with `systemd` use:
 
 ```sh
-sudo systemd enable --now dnsmasq nftables
+sudo systemd enable --now dnsmasq nftables <network-manager-of-choice>
 ```
 
 Enable routing in the kernel, see [Enable routing](#enable-routing).