Highest Voted 'nftables' Questions - Server Fault Stack Exchange

3

votes

1 answer

How should nftables rules using hostnames be rewritten to deal with multiple addresses?

I have this nftables rule: ip daddr { "0.nixos.pool.ntp.org", "1.nixos.pool.ntp.org", "2.nixos.pool.ntp.org", "3.nixos.pool.ntp.org" } udp dport ntp accept comment "Allow NTP traffic for system time" The goal is to allow NTP traffic from a host…

asked Apr 18 '19 at 13:27

Jean-Paul Calderone

352
1
4
14

3

votes

4 answers

How can I log packets dropped by policy in nftables?

I have a policy to drop packets in the input chain chain input { type filter hook input priority 0; policy drop; How can I log just these dropped packets?

linux-networking nftables

asked Mar 15 '19 at 16:41

mauricev

41
2
4

3

votes

1 answer

How to define port range in nftables

I want to open a range of TCP ports in nftables on my servers. Normally, in netfilter/iptables I can write the rule like this iptables -A INPUT -p tcp 1000:2000 -j ACCEPT I tried to write in the same way in /etc/nftables.conf tcp dport {1000:2000}…

linux iptables firewall nftables

asked Dec 02 '16 at 10:08

Lamnk

1,075
3
11
17

3

votes

0 answers

Getting NATed traffic returned back to the right interface

On a custom board (running a 4.x kernel), I have two physical ethernet interfaces and one radio modem that gives me a ppp-interface. iproute2 has been installed, and I am using nftables (not iptables). My issue is that I want to forward specific UDP…

nat iproute2 dnat nftables

asked Nov 09 '16 at 15:59

mroek

31
1

3

votes

1 answer

nftable rules get invalidated on reconnect (VDSL, ppp0)

I'm rebuilding my router using nftables on debian jessie. I have a working setup up to the moment where my ISP decides to reassign a new WAN IP by reconnecting my DSL-link. After such a reconnect the router itself has an online connection, but…

debian point-to-point-protocol pppoe nftables reconnect

asked Oct 16 '16 at 03:24

Kai Giebeler

223
2
7

3

votes

2 answers

Drop fragmented packets in nftables

Using iptables is it possible to block fragmented packets with this rule: iptables -A INPUT -f -j DROP But there isn't a equivalent in nftables. There is any way to do it?

networking iptables ipv4 packets nftables

asked Apr 22 '16 at 10:43

rfmoz

694
9
15

3

votes

2 answers

nftables alternative for iptables -F

Simply, is there any quick alternative of iptables -F command (that just "deletes everything") for nftables? Such thing wouldn't have much theoretical purposes, but it's usually a lifesaver for administration of bad/gone-wrong setups.

linux networking iptables nftables

asked May 13 '14 at 15:44

exa

571
4
14

3

votes

2 answers

NFTABLE issue: IPv6 does not behave like IPv4 with mirror config

I have an issue with IPv6 on my server. I have nginx configured to listen on port 443 from IPv4 and IPv6. And it works great: my webiste is available form Internet with TLS enabled. Things get complicated when I activate nftables: when I am…

networking iptables firewall ipv6 nftables

asked Sep 27 '21 at 19:38

Ricain

133
4

3

votes

2 answers

Debian 10: How can I disable nftables and continue to use IPTables only?

I just installed a new Debian 10 and realized that both nftables and iptables are active and somehow my IPTables rules get mixed up and don't work properly. How can I completely disable nftables and use IPTables-only instead?

debian iptables firewall port-forwarding nftables

asked Jul 14 '20 at 13:04

manifestor

5,329
5
21
33

2

votes

1 answer

Nftables timestamp map

Is it possible to construct a nftables map based on timestamp? Currently I use: numgen random mod 2 map { 0: 10.10.10.1, 1: 10.10.10.2, } But how to convert the random mod 2 expression to (timestamp / 1800) mod 2,…

iptables nftables

asked Dec 18 '19 at 15:05

mvorisek

485
6
19

2

votes

1 answer

Migrating from libvirt + iptables to libvirt + nftables

I'm about to migrate a Debian Stretch host using qemu-kvm to Debian Buster. I've seen people complaining on the Internet about issues due to nftables becoming default in place of iptables and libvirt using iptables rules. Rules automatically written…

kvm-virtualization libvirt firewalld nftables debian-buster

asked Dec 04 '19 at 15:45

Jérôme

565
1
5
18

2

votes

1 answer

Nftables cannot process any commands

After updating from Stretch to Buster and moving from iptables to nftables, the nft command doesn't process any given command except for list, which doesn't print anything. The input nft flush ruleset prints: Error: Could not process rule: Invalid…

debian-stretch nftables

asked Oct 04 '19 at 13:06

Martin Horský

141
5

2

votes

1 answer

How to flush and restore nftables rules from /etc/nftables.conf?

For iptables I used to run iptables-restore < /etc/iptables/rules.v4 which would flush rules and restore them from /etc/iptables/rules.v4. For nftables, I found nft -f /etc/nftables.conf, but the rules are not flushed* prior to restoring them from…

nftables

asked Aug 01 '19 at 15:14

sunknudsen

581
10
26

2

votes

1 answer

nftables ip6 route to localhost/ ipv6 nat to loopback

I'm trying to route incoming http internet traffic to [::1]:8080 which is where my http server binds to. I'm using nftables on an IPv6-only device. If I add following rules: sudo nft flush ruleset sudo nft add table ip6 nat sudo nft add chain…

ipv6 nftables

asked Jul 17 '19 at 08:57

adabru

123
4

2

votes

1 answer

nftables bridge match local packets

I am using Arch linux and I have set up a bridge with bridge-utils. Now I would like to firewall it. I would like to drop some packets going through that bridge while allowing this machine to freely communicate with the one behind the bridge. I…

firewall bridge nftables

asked Nov 07 '17 at 20:38

Vojtech Kane

143
1
5

Questions tagged [nftables]