Stack Overflow
Stack Overflow

Questions tagged [nftables]

57 questions
1
vote
1 answer

Add nftables map element using libnftables-json API from python

I am trying to dynamically add a map element using the nftables JSON API from python. In my firewall I have the following map in the router table in the ip family: map port_forwards { type inet_service: ipv4_addr . inet_service; } Here is a…
SamP20
  • 21
  • 4
1
vote
1 answer

cast a `&&*const libc::foreignStruct` to a `&libc::foreignStruct`

I'm using nftnl-rs to build a table of nftables rules, with great success. But now I want to know if there is already a table with the same name in the system. I found two functions in nftnl-rs' nftnl/src/table.rs that seem to be exactly made for…
la Fleur
  • 426
  • 3
  • 11
1
vote
1 answer

Rule management in nftables

I get the ports as a variable and I need to delete the rule in nftables. If the port is present in rule then i would grep the handle number and delete the rule. But in nftables service name would be present in rule so how can I delete the rule. Is…
infantus
  • 49
  • 7
1
vote
2 answers

nftables - drop arp traffic on specific bridge

I have basic knowledge in nftables syntax and I am trying to drop all arp traffic that occurs on a Linux bridge. I am running debian and have several virtual machines which are all connected to one bridge. For a project I need to prevent any kind of…
Jonasj
  • 25
  • 1
  • 6
1
vote
0 answers

nftables: Overriding the default configuration file

Imagine there's some application that does a silly thing, like configuring and over-writing all the firewall rules in /etc/nftables.conf and enabling said firewall with every update (even though the host itself is already behind a firewall and this…
aphid
  • 1,135
  • 7
  • 20
1
vote
2 answers

nftables rate limiting per multiple seconds

I'm trying to convert some iptables rules to nftables I want to make a rule that blocks a connection if there are more than 4 attempts in a 30 seconds time span My original iptables rules are: iptables -A INPUT -p tcp --dport 22 -m state --state NEW…
Samuel Barata
  • 39
  • 1
  • 8
1
vote
1 answer

How to order columns and rows in ftable

I want to reorder rows and columns of a ftable in R. Currently the table looks like this: Now I want to switch the rows/columns, so that the counts for "1" are shown first, and for "0" second. For example the rows "antib" should switch, so that the…
Martina
  • 139
  • 1
  • 10
1
vote
1 answer

How to translate iptables --physdev statements to nftables

I'm trying to translate my iptables entries to native nftables. The problem I have is with physdev statements - I'm using some chains to classify traffic passing through linux bridge: iptables -A FORWARD -m physdev --physdev-is-bridged -j…
nightcat
  • 43
  • 4
1
vote
2 answers

Test for packet NOT matching set

I'd like to write an nftables rule that matches packet fields which are NOT found in a set: ip not ip saddr @local_networks drop Unfortunately this gives a syntax error: "unexpected !" Moving the 'not' to various other likely points in the…
Nicole
  • 699
  • 1
  • 5
  • 15
0
votes
0 answers

nftables multiple input chains not working

So I have two input chains, input and dyn which is dynamically generated. However the rules of dyn just don't work because of input. I've tried setting the priority of input to 1, and the dyn to 0 even -200. Still nothing. When I flush the input…
Nikk
  • 7,384
  • 8
  • 44
  • 90
0
votes
1 answer

Hairpin NAT with dynamic WAN ip?

I have a fairly simple network, outlined below. For the question in particular, two subnets in their own VLAN. I have a service running in VLAN1000, lets say it's a webserver. I have forwarded 443/tcp from my WAN interface to this machine, and it…
monotux
  • 3,657
  • 28
  • 30
0
votes
0 answers

How to use openwrt22.03.2 to implement snat with nftables

I want to connect openwrt 22.03.2 to an ubuntu 22.04 via wireguard, and since I need to split the traffic, I use nftables to split the destination address. So I need to run this command below to tag the destination address with package in…
kursk.ye
  • 389
  • 1
  • 3
  • 12
0
votes
1 answer

Can't import libnftables.h on Raspberry Pi OS

I'm trying to use libnftables in C on Raspberry Pi OS. The built-in man page, libnftables(3), says to use #include . However, this header file doesn't seem to exist. When compiling with GCC, I get the…
ClausWorks
  • 33
  • 4
0
votes
0 answers

nftables payload statement?

So I am playing around with nftables and I stumbled over the "payload statement", which states that you can alter payload content. So I thaught about trying to change the "ether type protocol" from IPv4 (0x0800) to IEEE 802.1Q (0x8100), meaning it…
ablavan
  • 1
  • 1
0
votes
0 answers

what algorithm is used to match an IP address in an nftables set?

nftables allows you to create sets of IP addresses that can be used to match a rule. I'm curious what algorithm is used to match an IP against this set? Any comments on the O(n) would be appreciated.
AngularNerd
  • 871
  • 7
  • 14
1
2
3 4