Harald, On Mon, Jun 22, 2020 at 05:19:53PM +0200, Reindl Harald wrote: > Am 22.06.20 um 16:54 schrieb Phil Sutter: > > On Mon, Jun 22, 2020 at 04:11:06PM +0200, Reindl Harald wrote: > >> Am 22.06.20 um 16:04 schrieb Phil Sutter: > >>>> i gave it one try and used "iptables-nft-restore" and "ip6tables-nft", > >>>> after reboot nothing worked at all > >>> > >>> Not good. Did you find out *why* nothing worked anymore? Would you maybe > >>> care to share your script and ruleset with us? > >> > >> i could share it offlist, it's a bunch of stuff including a managament > >> interface written in bash and is designed for a /24 1:1 NETMAP > > > > Yes, please share off-list. I'll see if I can reproduce the problem. > > > >> basicaly it already has a config-switch to enforce iptables-nft > >> > >> FILE TOTAL STRIPPED SIZE > >> tui.sh 1653 1413 80K > >> firewall.sh 984 738 57K > >> shared.inc.sh 578 407 28K > >> custom.inc.sh 355 112 13K > >> config.inc.sh 193 113 6.2K > >> update-blocked-feed.sh 68 32 4.1K > > > > Let's hope I don't have to read all of that. /o\ > > to see the testing implemented please scroll at the bottom :-) > > that whole stuff lives in a demo-setup at home reacting slightly > different when $HOSTNAME is "firewall.vmware.local" > > surely, you can have the scripts alone but it's likely easier to get the > ESXi started somehow and have a fully working network reflecting > produtkin just with different LAN/WAN ranges Sorry, no thanks. If your setup is so complicated you rather send me an image of the machine(s?) running it, you're in dire need to simplify things in order to prepare for me helping out. Assuming that 'firewall.sh' is also really 57KB in size, I'll probably have a hard time even making it do what it's supposed to, let alone reproduce the problem. Let's go another route: Before and after switching from legacy to nft backend, please collect the current ruleset by recording the output of: - iptables-save - ip6tables-save - nft list ruleset - ipset list Cheers, Phil
