Highest Voted 'nftables' Questions - Server Fault Stack Exchange

1

vote

1 answer

nftables named sets that match network prefixes though filter or variables

I want to match a set of networks. Anonymous sets works fine, but I want to create prefix set to reuse it when needed. nft add set filter AllowedSSH { type ipv4_addr\;} // type for addreses nft add element filter AllowedSSH { 10.0.0.0/8 } // not…

nftables

asked Aug 06 '19 at 06:28

Tomato

79
1
8

1

vote

1 answer

nftables: Set packet mark from raw payload

I'm trying to set a packet's mark field to a 32-bit field in the (layer-5) header, using nft add rule inet filter output udp dport 31337 meta mark set @th,96,32. (I'm pulling second dword in the layer-5 header, but because the extraction starts at…

asked Aug 05 '19 at 17:20

Reid Rankin

323
1
2
7

1

vote

2 answers

Does nftable drop invalid state connections if I only allow established and related state?

Just curious. An example in nftables wiki allow related and established connections and then drop invalid connections. Is it necessary?

firewall nftables

asked Jul 13 '19 at 03:50

user762750

181
1
10

1

vote

1 answer

What is the difference between nf_table and xt_table?

There are two sets of modules in linux netfilter framework. One with nf prefix (e.g. nf_tables), another with xt prefix (e.g. xt_ecn). What is the difference between two of them?

linux iptables nftables

asked Jun 17 '19 at 05:53

user762750

181
1
10

1

vote

1 answer

How to reset nftable counter?

It's really painful to use nftable. I have an ipv4 table and a input chain in it. table ip filter { # handle 7 chain input { # handle 1 type filter hook input priority 0; policy accept; ip daddr 192.168.0.102 counter packets…

linux networking firewall nftables

asked Jun 16 '19 at 14:10

user762750

181
1
10

1

vote

1 answer

Masquerade with nftables

I have PC-1 with 2 uplinks (modem1 and modem2) and LAN on eth0 interface: # ip -c -brief addr lo UNKNOWN 127.0.0.1/8 eth0 UP 192.168.0.7/24 modem2 UNKNOWN 10.73.15.79/27 modem1 …

linux networking nat nftables

asked Jun 14 '19 at 11:53

ltWolfik

121
1
6

1

vote

1 answer

How can I use nftables with passive FTP?

Below are rules for allowing passive FTP that are not working. /proc/sys/net/netfilter/nf_conntrack_helper is set to 1 The nf_conntrack_ftp module is loaded. What could be blocking it? Do I really need the counter? Do I really need the tcp dport…

ftp linux-networking nftables passive

asked Mar 15 '19 at 15:32

mauricev

71
1
2
4

1

vote

0 answers

What does gc-interval in named sets actually do?

I'm testing out named sets in my nftables ruleset but I can't find any explanation of what the gc-interval parameter actually does. The documentation simply states: Garbage collection interval, only available when timeout or flag timeout are…

linux-networking nftables

asked Nov 23 '18 at 22:50

morbiD

145
1
8

1

vote

0 answers

altering packet content of forwarded packets with nft or iptables using queues

I need to create a moderatly large application that changes the content of forwarded packets quite drastically. I was wondering whether or not I could alter the content of a packet that is intended for routing (kind of performing a man in the…

iptables routing nftables deep-packet-inspection

asked Nov 26 '17 at 19:58

Archop

11
3

1

vote

1 answer

Nftables issue with ftp firewall and conntrack

With the following rules inside the nftables input chaing: tcp dport 21 ct state established,new counter accept tcp dport 20 ct state established,related counter accept tcp dport 1024-65535 ct state established,related counter accept The pasive FTP…

ftp connection nftables

asked Oct 27 '17 at 06:36

rfmoz

772
9
15

1

vote

1 answer

How to create transparent/in-line/bridging firewall via nftables?

I'm stuck at configuring nftables. table bridge filter { chain input { type filter hook input priority -200; policy accept;} chain forward { type filter hook forward priority -200; policy drop; ip protocol icmp counter…

firewall centos7 bridge nftables

asked Sep 29 '17 at 12:49

Severgun

163
2
8

1

vote

2 answers

My nftables rules blocks IPv6

My nftables.conf simply runs flush ruleset then includes my firewall rules. I’ve copied them from the Arch wiki. So the included firewall.rules contains: # An iptables-like firewall table firewall { chain incoming { type filter hook input…

ipv6 nftables

asked Sep 05 '16 at 12:41

Jonny Barnes

155
3
8

1

vote

0 answers

Replacing net_cls with nftables

I am currently using the net_cls cgroup to classify packets from a process and then later mangle them with iptables. From the kernel and systemd guys it seems that net_cls is deprecated and other tools like nftables are supposed to do the same…

iptables systemd cgroup nftables

asked Aug 21 '16 at 16:55

Ian Reinhart Geiser

111
1

1

vote

1 answer

Bash has problems with cmdline nft cmd vs script

linux mint. uname -r yields 5.15.0-56. dpkg-query -l bash yields 5.1.6ubuntu1. My script shows this problematic output when bash -x script invoked: attrib =' '\''{type nat hook prerouting priority mangle+10;}'\'' ' But from the commandline: sudo…

bash nftables

asked Aug 30 '23 at 03:25

ArrowInTree

164
7

1

vote

1 answer

TCP Packet Loss in nftable nat chain

I am trying to connect to a Minecraft server but get a connection Timeout when tryping to connect although the Server is showing up as online Minecraft Multiplayer screen This question meight seem out of place, but wait. The minecraft server is…

linux networking routing tcp nftables

asked Aug 21 '23 at 22:48

leonard georg

21
4

Questions tagged [nftables]