Re: trying to convert to nftables I have a problem that it adds rules on its own

ITwrx <info@xxxxxxxxx> · Wed, 13 May 2020 22:57:42 -0500

On 5/13/20 10:02 PM, D&R wrote:
> nftable.conf is setup as:
>
> flush ruleset
> table inet nat {
>         chain postrouting {
>                 type nat hook postrouting priority srcnat; policy accept;
>                 masquerade random,persistent
>         }
> }
> table inet filter {
>         chain input {
>                 type filter hook input priority filter; policy drop;
>                 counter jump block
>         }
>         chain forward {
>                 type filter hook forward priority filter; policy drop;
>                 counter jump block
>         }
>         chain output {
>                 type filter hook output priority filter; policy accept;
>         }
>         chain block {
>                 ct state { established, related } counter accept comment "accept all connections related to connections made by us"
>                 iifname "enp1s0" counter accept
>                 iifname "enp2s0" counter accept
>                 iif "lo" accept comment "accept loopback"
>                 tcp dport xxxxx counter accept comment "accept SSH"
>                 counter log prefix "IPTABLES IN= " level crit flags tcp sequence,options
>                 counter drop comment "count dropped packets"
>         }
> }
>
>
> After it runs for a few minutes it adds the following at the bottom of the
> table:
>
>
> table ip filter {
>         chain INPUT {
>                 type filter hook input priority filter; policy accept;
>                 counter packets 214 bytes 18153 jump block
>         }
>
>         chain FORWARD {
>                 type filter hook forward priority filter; policy accept;
>                 counter packets 525 bytes 85145 jump block
>         }
>
>         chain OUTPUT {
>                 type filter hook output priority filter; policy accept;
>         }
>
>         chain block {
>         }
> }
>
> I can't explain this, can anyone else do so?
>
> Thanks,
>
> David
> _______________________________________________
> users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
> To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
> Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
> List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
> List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx

maybe something else is running like firewalld? i've been using nftables
for a while on other distros and now on fedora and i haven't seen any
changes being made to my nftables.conf.

maybe run "systemctl status firewalld"?

_______________________________________________
users mailing list -- users@xxxxxxxxxxxxxxxxxxxxxxx
To unsubscribe send an email to users-leave@xxxxxxxxxxxxxxxxxxxxxxx
Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/
List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines
List Archives: https://lists.fedoraproject.org/archives/list/users@xxxxxxxxxxxxxxxxxxxxxxx