On ven., août 4, 2017 at 6:51 , J Doe <general@xxxxxxxxxxxxxxxxx>
wrote:
Hi,
I am new to nftables and have been experimenting with the syntax. I
am working on Ubuntu 16.04.3 LTS server with a kernel of 4.4.0. I
have installed the nftables package and nft is version 0.5.
This is a very old version, you *will* encounter bugs that have been
fixed since and you will miss several new features. The current version
is 0.7 and I would even encourage anyone to attempt to use the latest
git if anything seems not to work as expected even in 0.7.
My goal is to create two tables - one of protocol family ip and one
of protocol family inet. To do so, I issued the following commands:
$ sudo nft add table ip filter_ip
$ sudo nft add table inet filter_inet
I then create chains for inbound and outbound traffic:
$ sudo nft add chain ip filter_ip input { type filter hook input
priority 0 \; }
$ sudo nft add chain ip filter_ip output { type filter hook output
priority 0 \;}
$ sudo nft add chain inet filter_inet input { type filter hook input
priority 0 \; }
$ sudo nft add chain inet filter_inet output { type filter hook
output priority 0 \; }
I then attempt to allow inbound and outbound traffic on the loop back
interface:
$ sudo nft add rule inet filter_inet input iif lo accept
$ sudo nft add rule inet filter_inet output iif lo accept
I then list the tables:
$ sudo nft list tables
table ip filter_ip
table inet filter_inet
But when I attempt to view the loop back rules in filter_inet, I get
the following:
$ sudo nft list table filter_inet
<cmdline>:1:1-22: Error: Could not process rule: Table 'filter_inet'
does not exist
In any command, when specifying a table that is not in the ip family,
you need to precise the family, just like you did in the add command.
Here, for example, you would use:
$ sudo nft list table inet filter_inet
You can also have multiple tables with the same name, if they don't
have the same family, so you could have named both your tables filter,
and distinguished between them using only the family:
$ sudo nft add table ip filter
$ sudo nft add table inet filter
$ sudo nft add chain ip filter input { type filter hook input priority
0 \; }
$ sudo nft add chain inet filter input { type filter hook input
priority 0 \; }
etc.
A note: if you have an inet table, you probably don't need an ip table
as well, as you can specify the network protocol in specific rules in
the inet table by prefixing them with `meta nfproto ipv4` or `meta
nfproto ipv6` when needed, and not have to repeat common rules.
--
Anatole Denis
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
