packet filtering framework, userspace utility and compatibility layer for {ip,ip6}tables, developed as consolidated replacement for existing {ip,ip6,arp,eb}tables frameworks
Questions tagged [nftables]
219 questions
1
vote
1 answer
why we need different types of base chain in nftables?
I know how hooks work in netfilter but I can't understand why there are different types of chains as described here: base chain types I have two questions
first : why there are different types of chains? why not to use only "filter" type? …
H. Far
- 21
- 5
1
vote
2 answers
Linux - force different users to use different network interfaces
I have a linux machine set up with a one physical NIC, connected with a managed switch. The connection is a VLAN trunk. On the machine there are two vlan interfaces for which there are different IP addresses (part of different VLANs).
What I want…
Koen
- 13
- 2
1
vote
1 answer
What do these nftables rules, as set up by wg-quick, mean?
I am using wg-quick to open a VPN connection. I can see the utility is setting some nft rules and I would like to understand them. I have moderate knowledge of iptables but none of nftables.
Here is the Wireguard config file:
[Interface]
PrivateKey…
Patrick
- 65
- 8
1
vote
0 answers
How to avoid IP & MAC spoofing and block desired ports for Qemu/KVM virtual machines via nft or nftables?
I have a Debian 11 server that is running several Qemu/KVM virtual machines ( not using libvirtd created purely with Qemu commands ), I've created a network bridge and each VM has its own TAP device connected to the bridge. Please consider that I…
Sinux
- 75
- 9
1
vote
1 answer
ip xfrm policy template missmatch error (XfrmInTmplMismatch)
I am working in a very simple case for ipsec and I keep getting XfrmInTmplMismatch error in reception (after decapsulating the ESP packet) when checking cat /proc/net/xfrm_stat. nft monitor all shows nothing.
These are the SAs and SPs I…
Leonardo Bergesio
- 11
- 3
1
vote
0 answers
After iptables to nftables conversion, unable to connect to http nextcloud server and apt doesn't connect
I want to enable access to my nextcloud server and be able to use apt update. I used to be able to before my iptables to nftables conversion. However, after the conversion, its no longer possible. Pinging Google and server access via SSH still…
LtMuffin
- 121
- 1
- 4
1
vote
1 answer
Route all traffic through a WireGuard Hub and Spoke VPS (Nftables)
As mentioned in the title, I am using a WireGuard Hub and Spoke configuration to connect my network at home to RoadWarrior peers. Unfortunately I have no public IPv4 and v6 address at home and on the road, so I need the hub. So far the routing of…
Jonathan
- 43
- 6
1
vote
1 answer
nftables ignoring should-be matches, nftables log shows nonsense frames, tcpdump shows expected frames
EDIT: Solution found. Will post after synthesization and verification.
Having come across some head-scratching behavior with nftables, I am hoping for some community insights.
When using the below ruleset in a QEMU-KVM guest, Ethernet frames in…
Tanel Rebane
- 161
- 1
- 7
1
vote
0 answers
ICMP TTL exceeded replies with destination IP from NAT router
I'm playing with nftables and observe strange behaviour which I cannot explain.
I have three VMs, source, router and destination. All run latest Oracle EL 8.5 and are configured via nft.
source has single network interface enp0s8 with IP…
Reisse
- 11
- 1
1
vote
1 answer
Use iptables and nftables together
Is it possible to use nftables and iptables together? How can I give iptables rules higer priority than nftables. As I am using nftables for nat and iptables to drop traffic by matching hex & string.
These are the iptables rules which I wanted to…
ph3ro
- 135
- 5
1
vote
0 answers
How to bridge only IPv6 and drop all IPv4 traffic on a Linux bridge with NFT?
Currently, we have a network where apps on host and VMs are connected together and all VMs are behind the NAT as below
||=> Host
ISP Router => enp1s0
|--> lxdbr0 => VM 1
||====> VM 2
…
Thor-x86_128
- 11
- 4
1
vote
1 answer
config error after updating nftables
Been using nftables for the last 2 years with the same config, updated the program the other day and now its complaining that my config isnt valid even though all the documentation still says its right. maybe someone can spot a rogue symbol or…
KittyDotNet
- 11
- 1
1
vote
2 answers
can't run iptables-legacy using cli - centos8
I have a Centos-8 machine which comes with nft-tables and with ip-tables libraries installed.
for example:
the files:
/lib64/xtables/*
/lib64/libiptc.so.0.0.0
/lib64/libiptc.so.0
are all exists and working, which means that I'm able to perform…
Or Yaacov
- 73
- 8
1
vote
1 answer
Do I need to migrate from iptables to nftables?
I have the following iptables rules.
Forwarding packets from 1.2.3.4 and 5.6.7.8 (sources) coming to port 10000 to an external socks5 server on 10.10.10.10:1080. The server IP is 50.50.50.50
This schema is working well if the source amount is not…
pdqcontacts
- 21
- 2
1
vote
0 answers
NFS insists to send packets over MTU, nftables might be the solution
I have an NFS mount over a Strongswan IPSec tunnel, which is encapsulated in a 6to4 tunnel. The IPSec is because I need encryption for NFS traffic, the 6to4 is because the VPS provider won't assign a native IPv6 prefix to my server. Because I had…
MegaBrutal
- 183
- 8