Questions tagged [nftables]
nftables is the successor of iptables/ip6tables and available since Linux kernel version 3.13
277 questions
2
votes
0
answers
31
views
Nftables ct count over 2 counter continues to trigger with only 1 connection
I have a counter that triggers when the ct count is over 2. I am monitoring the number of connections as well as the states using ss -at and conntrack -L. The following rules do not appear to be ...
- 21
0
votes
0
answers
23
views
firewalld corruption python-nftables command not found
this is in RHEL-8.10 x86-64
from a clean install from rhel-8.10-x86_64-dvd.iso and only using the public.xml file;
the only things I do is
# quad port nic with eno4 being my wan connection
firewall-...
- 9,112
0
votes
0
answers
22
views
nftables masquerade on interface with multiple addresses
I have what appears to be a unique situation that I am surprised is unique as it's common to most cablemodem implementations...
I need to masquerade to the dynamic public address provided by $CABLECO ...
- 83
0
votes
0
answers
34
views
Problem using "dynamic" maps with nftables
I want to create an nftables filter rule that drops traffic where the source and destination address are equal. Nftables only allows to compare addresses against constants or sets/maps. So I tried to ...
- 1
2
votes
1
answer
58
views
nftables NAT 'redirect' rule description ambiguity
I'm currently covering nftables NAT rules. There are four of them, namely:
snat: replace the packet's source address with a given one (clear);
dnat: replace the packet's destination address with a ...
- 23
1
vote
1
answer
47
views
Discrepancy in nftables counters
Here is an edited nft ruleset that shows what appears to be a problem with the values in the packet counters.
In the INPUT chain, the second rule counter shows more packets than the first rule counter....
- 563
2
votes
1
answer
89
views
How do I make a virtual "alias" for a remote IP without a proxy process?
I have interfaces enp101s0f0u2u{1..3}, on each of which there is device responding to 192.168.8.1.
I want a local processes to be able to reach all of them simultaneously.
This is one process, so ...
1
vote
2
answers
82
views
nftables anonymous subchains
Using ferm (the iptables generator) I can make anonymous chains like this:
saddr (1.2.3.4 2.3.4.5 3.4.5.6 4.5.6.7 5.6.7.8) @subchain {
proto tcp dport (http https ssh) ACCEPT;
proto udp dport ...
- 23
0
votes
0
answers
90
views
nftables query interface address
Is it possible to query interface address using nftables?
For example,
ip daddr = ifname_addr "eth0" counter accept
Consider a system that has 4 interfaces: eth0 eth1 eth2 eth3. It is ...
- 26
1
vote
0
answers
39
views
What does the phrase "consider native interface" refer to when the nftables wiki says that xt_bpf match is unsupported
In this list of unsupported xtables features. xt_bpf is listed as one of the unsupported features. The comment says to "consider native interface". But what interface is being referred to ...
- 579
0
votes
1
answer
224
views
Captive Portal w/ nginx, hostapd, nftables, dnsmasq
I'm trying to make captive portal with nginx, hostapd, nftables, dnsmasq and python-flask.
I have two main problems
I'm not getting a popup on Android, but am on Iphone/OSX.
I'm not sure how to ...
- 11
0
votes
1
answer
93
views
Misdocumentation in nftables?
As someone who hasn't hammered in all the parts of the OSI layers, I got quite frustrated with the documentation of bridge filtering in nftables: https://wiki.nftables.org/wiki-nftables/index.php/...
- 25
1
vote
1
answer
353
views
nftables returns "Error: No such file or directory" when trying to list or modify a table that clearly exists
I have two tables in nftables:
$ sudo nft list tables
table inet filter
table ip nat
The nat table can be listed just fine:
$ sudo nft list table nat
table ip nat {
chain prerouting {
...
- 654
0
votes
0
answers
98
views
NFTables tables, hooks and rules ordering
I'm new to nftables but have used iptables for quite a while now. While playing with nftables, I was thinking: "Hey, this is cool, I could have like a management table, where all the mngt stuff ...
0
votes
1
answer
108
views
Why does no packet traverse the nat chain in the output or postrouting hook with this ruleset?
I have a machine with the network interface enp0s3 which is assigned the IPv4 address 192.168.20.254. Furthermore, on another machine there is a DNS server listening on the IPv4 address 192.168.20.10. ...
- 3,931