packet filtering framework, userspace utility and compatibility layer for {ip,ip6}tables, developed as consolidated replacement for existing {ip,ip6,arp,eb}tables frameworks
Questions tagged [nftables]
219 questions
0
votes
0 answers
Script to filter nginx logs to automatically running nftables
I have a domain served by nginx. nginx logs have this format:
178.128.120.151 - - [19/Jul/2023:20:27:25 +0200] "GET /favicon.ico HTTP/1.1" 301 162 "-" "Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/108.0.0.0…
somenxavier
- 101
- 2
0
votes
0 answers
nft Quality of Service (qos)
Is there any way to have a QoS over nftables.
I have a webserver and I want to restrict that HTTP input traffic should have maximum of 90% of bandwith. Is it possible?
Nothing found in official documentation.
somenxavier
- 101
- 2
0
votes
0 answers
nftables: VM to VM Communication over Host IP
I have the following situation:
A Debian Linux host with multiple VMs running on it.
One VM is set up as a mail server.
nftables on the host redirects the mail traffic from the world to the mail VM with NAT.
My problem is that when I want to send…
jb_alvarado
- 140
- 2
- 10
0
votes
1 answer
Compare on-disk rules and in-memory rules (find the difference) for nftables
I want to check that rules was loaded (e.g. ruleset in files are the same as in the kernel). I want to do it without modifying kernel rules. I can't compare files and nft list ruleset due to ordering, comments, formatting and so on.
Is there a way…
George Shuklin
- 296
- 2
- 11
0
votes
0 answers
Configure network stack to consume data from TAP device, so that application can operate as if the data was intended to it
I have two devices communicating, A and B over udp.
In between there is a tap device, where C is connected. In order for C to be able to receive the traffic it needs to set the same ip and mac address as A. (1) This works showing the data intended…
Aleksandarf
- 101
- 1
0
votes
0 answers
Redirect traffic in "sniff/tap?" mode to specific ip address(es), that is: rewrite destination headers to target other machine(s)
I have incoming traffic on eth1 (vlan id 201) which is emitted by another machine which is doing
sudo tcpreplay -x 0.01 --loop=0 --intf1=eth12 Wireshark_bidirectional_data.pcap
I would like to rewrite the destination to target other devices e.g.…
Aleksandarf
- 101
- 1
0
votes
1 answer
nftabels rules and rc.local
i have problem like this
this is my iptables rules
sysctl net.ipv4.ip_forward=1
iptables -t nat -A PREROUTING -p tcp --dport 22 -j DNAT --to-destination (( my first server ))
iptables -t nat -A PREROUTING -j DNAT --to-destination (( my second server…
E M A
- 1
0
votes
1 answer
Debian 11 firewalld+nftables rules not taking effect
Update: after commenting out the line in /etc/hosts that is kinda like
#127.0.1.1 my-host.domain.edu my-host
and rebooting, the firewall does open the expected ports. I thought to do this because, during testing with the firewall down, binding to…
elliotta
- 1
- 1
0
votes
1 answer
Does nftables flowtable software/hardware offloading conflict with other nftables rules?
According to https://wiki.nftables.org/wiki-nftables/index.php/Flowtables, flowtables reside in the ingress hook. So, does that mean if connection is picked up by the flowtable, it will not be processed by any other rules in prerouting, input,…
user762750
- 181
- 1
- 10
0
votes
0 answers
Why redidrect works with output hook but not with prerouting hook
I'm playing around with nftables to gain more experience and have a pretty easy scenario: NAT the destination port 8080 to 8081 (not really useful but in the Lab it is good enough).
This nft config works (so all packets which are targeted at port…
guenhter
- 121
- 5
0
votes
1 answer
How to redirect UPD packages targeted for other host to localhost
I want to sniff UDP packages targeted at port 4500 flowing from machine A -> B with a physical TAP device and receive the sniffed packages on machine C on a local port (see image).
About the TAP Device: This is a physical device which is placed in…
guenhter
- 121
- 5
0
votes
1 answer
How to route certain traffic in OpenVPN from one client through another client?
Scenario
ClientA (Windows 10) and ClientB (Raspberry Pi OS) are both connected via OpenVPN to ServerA (Debian 10) over the internet. The OpenVPN network is 10.0.0.0/24.
Machine
OpenVPN…
Matti vL
- 1
- 1
0
votes
0 answers
Is there a way to reset a counter in an nftables set?
I have a table with a set of ipv4_addr that has a counter for each element.
I want to reset the counters after reading the packets counted, but from what I can tell there is no way to do this.
Are set counters considered anonymous counters?
Thanks
0
votes
0 answers
Nftables map expects IPv6 address, mapping expression has type integer
I need to change the destination address of an IPv6 packet depending on the payload of that packet.
I'm using a raw payload expression to extract the encapsulated IPv6 address inside that packet and want to use a map to determine the new destination…
Jakob
- 1
0
votes
0 answers
Drop first SYN packet with nftables
How can I drop the first SYN packet (or the first SYN/ACK reply) received by my server?
I have a test VPS set up to capture and analyze malicious traffic directed to non-standard TCP ports, for example attacks on sshd running on a high port. Using…
Stewart
- 1