Highest Voted 'nftables' Questions - Server Fault Stack Exchange

2

votes

0 answers

Route untagged vlan to a tagged vlan with nftables

I have played around a lot with nftables, but I am stuck on this problem for the entire day. I have a wifi ssid that gets tagged vlan20. This part works, and I can see that dnsmasq is assigning ip addresses from this range: #VLAN…

nftables systemd-networkd

asked Mar 22 '21 at 03:51

techwreck

21
2

2

votes

1 answer

Ping host with dual IPs on 1 IP, echo returns from other IP

I'm running Fedora 33 on a host (i5 cpu, 8Gb RAM, SSD and hdd) which is set up as a router; it has 5 NICs. I've managed to get dual internet gateways and dual LANs working reasonably well using nftables. One gateway is DSL with pppoe, the other a…

router fedora route gateway nftables

asked Mar 02 '21 at 08:17

Nibs Niven

23
4

2

votes

1 answer

Switch from existing firewalld configuration to nftables

I'm running a low-RAM VPS with CentOS 8. I've noticed that firewalld service uses way too much RAM (up to 20%). So I guess it may be better to switch to use only built-in nftables. I'm quite familiar with old iptables as well as firewalld…

centos iptables firewalld centos8 nftables

asked Nov 07 '20 at 10:45

simon

161
7

2

votes

2 answers

nft config to make a local NATed FTP server public available

Everything will be on a isolated network, security is not an issue. eth0 is connected to the "public" network. Address assigned by DHCP. eth1 is connected to a "private network" server that provides ssh, telnet, "others" and ftp. This server will…

ftp nat nftables

asked Aug 18 '20 at 06:59

Gunnar Holm

23
4

2

votes

0 answers

How do I proxy all local traffic on 127.0.0.1:1080 use nftables tproxy

On my desktop linux,I want to surf the Internet through a proxy VPN. I already have a client for a transparent proxy listing on 127.0.0.1:1080. I want the traffic generated by the local process to pass through this client. I know that TProxy is only…

vpn routing linux-networking transparent-proxy nftables

asked Jul 29 '20 at 16:45

junknet

21
2

2

votes

1 answer

Combined nftables rules for IPv4 and IPv6

One of the main advantages of nftables to iptables is a "Simplified dual stack IPv4/IPv6 administration, through the new inet family that allows you to register base chains that see both IPv4 and IPv6 traffic." (from the netfilter website) I'm…

firewall linux-networking ipv6 nftables

asked Jun 16 '20 at 09:51

hosi

21
1
3

2

votes

1 answer

iptables-like NETMAP with nftables

using nftables, I need to NAT an entire subnet to another one for example: 10.10.10.1 -> 10.200.0.1 10.10.10.2 -> 10.200.0.2 ... 10.10.10.X -> 10.200.0.X nftables docs here shows multiple NATs in one line, but how can I manage that use case if my…

linux linux-networking nat nftables

asked May 18 '20 at 11:50

ro-friday

23
5

2

votes

2 answers

Nftables - how not to dnat an ip on interface (DNS)

I have been searching, but cannot seem to find an answer to my specific issue. I have the following rule today under prerouting: iifname "br0" udp dport 53 counter dnat to 192.168.22.5:53 However, I have one issue, the IP address 192.168.22.5 is…

firewall routing dnat nftables

asked May 09 '20 at 12:16

Henrik_er

23
1
4

2

votes

0 answers

Flush old entries from nftable meter list

I use nftables to do rate limiting: chain input: { type filter hook input priority 0; policy accept; tcp dport http ct state new jump rate-limit } chain rate-limit { meter httplimit4 { ip saddr limit rate 2/second burst 20 packets }…

rate-limiting nftables

asked Mar 18 '20 at 11:07

router

21
1

1

vote

1 answer

nftables support string matching support

Iptables can match packets by string. Example for dns: iptables -A INPUT -i eth0 -p udp --dport 53 -m string --hex-string "|09|proxypipe|03|net" --algo bm -j DROP How to perform such matching in nftables?

nftables

asked Jan 14 '20 at 20:29

Tomato

79
1
8

1

vote

0 answers

nftables NAT combined with VLANs and routing

My network has a rather complex setup I can't unfortunately simplify, currently it's being half-solved by two different devices (that cause a few other problems) and I wish to replace them with one Linux box with nftables. I made a diagram (below),…

linux-networking nat vlan bridge nftables

asked Dec 01 '19 at 22:53

Avamander

203
2
11

1

vote

1 answer

Salt configuration for nftables prerouting

I'm trying to configure a nftables-rule for forwarding traffic from my server to a LXC container, however, the way that the salt states module for dport renders the given value is not accepted by nftables. How should I proceed? Salt…

saltstack nftables

asked Nov 27 '19 at 17:40

jbakker

121
3

1

vote

0 answers

Completely delete nftables

I am not a Linux guru, but I used to do it, but now I’m completely stuck. I have Debian Jessie installed on the server, it worked fine, then someone of interns did something there and as a result, nftables was installed on the server. After that,…

debian apt nftables

asked Nov 08 '19 at 10:05

Theo Vi

21
6

1

vote

1 answer

Filter on bytes in UDP payload using nftables

Is it possible to write a nftables rule that filters on byte value(s) at an offset in a UDP payload? I am able to do so using netfilter queue in userspace, but wondering if there's an expression that can be used in an actual rule.

linux nftables

asked Oct 16 '19 at 21:58

diametralpitch

113
3

1

vote

1 answer

Multiple hooks per nftables chain?

Is it possible to define multiple hooks in nftables chain or is there any other elegant way how to prevent duplicationg the rules inside (without include from another file)? table inet raw { chain mangle { type filter hook { prerouting,…

iptables nftables

asked Sep 21 '19 at 14:25

mvorisek

515
1
9
19

Questions tagged [nftables]