Am 22.06.20 um 17:44 schrieb Phil Sutter: > Sorry, no thanks. If your setup is so complicated you rather send me an > image of the machine(s?) running it, you're in dire need to simplify > things in order to prepare for me helping out. Assuming that > 'firewall.sh' is also really 57KB in size, I'll probably have a hard > time even making it do what it's supposed to, let alone reproduce the > problem. yeah, it's a corporate firewall with dos-protection, portscan-triggers and a ton of fancy stuff ending in 270 rules which are 100% needed (most are chains log something with -m limit and now do something using nflog/ulogd) > Let's go another route: Before and after switching from legacy to nft > backend, please collect the current ruleset by recording the output of: > > - iptables-save > - ip6tables-save > - nft list ruleset > - ipset list *good news* with xtables-save v1.8.3 on Fedora 31 other than at the last try after switch to ip(6)tables-nft-(restore) and reboot the network seems to work now properly not only that ssh behind a ipset-rule now works also my "test.php" confirms that ratelimits, portscan-trigger and the nat is working iptables-legacy layer is for sure empty after reboot ------------------------------- but what is the replacement for iterate "/proc/net/ip_tables_names" and "/proc/net/ip6_tables_names" in case "iptables-nft" is in use that is not only used for reset but also on several places for status counters, display rulets in "-t filter", "-t mangle and "-t raw" ------------------------------- missing that explains that everything is falling in pieces and add things which are supposed to be no longer there fails $IPTABLES here is a macro within my application for TABLE in $(<'/proc/net/ip_tables_names'); do hlp_rule_ipv4 "$IPTABLES -t $TABLE -F" hlp_rule_ipv4 "$IPTABLES -t $TABLE -X" done if [ "$IPV6_LOADED" == 1 ]; then for TABLE in $(<'/proc/net/ip6_tables_names'); do hlp_rule_ipv6 "$IPTABLES -t $TABLE -F" hlp_rule_ipv6 "$IPTABLES -t $TABLE -X" done fi
