Hi, in my old iptables setup I've used something like this in the FORWARD chain to allow traffic that has been redirected through DNAT beforehand (i.e. in the NAT PREROUTING table). iptables -A FORWARD -m conntrack --ctstate DNAT -j ACCEPT This way I don't have to specify rules twice, which is not only a massive overhead, but also prone to errors. Apparently nftables does not know anything about the "DNAT" and "SNAT" states. Is there a way to simulate something like this? Marking all packages that are redirected using DNAT in the nat table, and allowing all marked packages through in the forwarding chain, should work, shouldn't it? Is this in any way different to the iptables approach? Thanks! Best regards, Karol Babioch
Attachment:
signature.asc
Description: OpenPGP digital signature
