Could someone please clarify RAW/MANGLE tables in regards to Nftables. I could not find any details in Nftables wiki specifically for RAW/MANGLE tables. While I find Gentoo wiki for Nftables much more friendlier: https://wiki.gentoo.org/wiki/Nftables#Tables xxx Tables: A table is nothing more than a container for your chains. With nftables there are no predefined tables (filter, raw, mangle...) anymore. You are free to recreate an iptables-like structure, but anything might do. Currently there are 5 different families of tables: ip, ip6, arp, bridge, inet xxx My question is, since Nftables doesn't have predefined tables, just by naming a table: "table inet raw", does it becomes a RAW table or not? If not, what do I have to do? I thank you all so much. For now I have added this to my nftables.conf xxxxx table inet raw { chain prerouting { type filter hook prerouting priority 0; policy accept; ip saddr 123.0.0.0/8 counter drop } chain output { type filter hook output priority 0; policy accept; ip daddr 123.0.0.0/8 counter reject } } xxxxx ‐‐‐‐‐‐‐ Original Message ‐‐‐‐‐‐‐ On Friday, October 4, 2019 3:10 PM, Reindl Harald <h.reindl@xxxxxxxxxxxxx> wrote: > Am 04.10.19 um 16:28 schrieb Jags: > > > > not sure about nftables but with iptables i would just place the drop > > > stuff for 123.0.0.0/8 in -t raw PREROUTING because it's before conntrack > > > and consider place it in a ipset for the case the list becomes longer > > > because then you have only one rule and a lightning fast hash-lookup no > > > matter how much entries > > > > Yes, I noticed CPU spikes, and removed drop/reject rules immediately. Thought I would re-enable these rules only when I run a torrent client. > > So should I just add a new table "raw" (and place this table at the top): > > xxxxxxxxx > > table inet raw { > > chain prerouting { > > type filter hook prerouting priority 0; policy accept; > > ip saddr 123.0.0.0/8 counter drop > > } > > chain output { > > type filter hook output priority 0; policy accept; > > ip daddr 123.0.0.0/8 counter reject > > } > > xxxxxxxxx > > Now do I need POSTROUTING chain in there too? > > From Gentoo wiki for Nftables: https://wiki.gentoo.org/wiki/Nftables#Tables > > "postrouting: This hook comes after the routing decision has been made, all packets leaving the machine hit this hook" > > you don't need chains where you don't place rules > > disclaimer: i use iptables and plan to switch to iptables-nft over the > long, so nftables may have sbtle different behavior > > however, it turned out to have way better performance for a big firewall > setup place as much as possible in "-t mangle PREROUTING" (ct state > invalid) and "-t raw PREROUTING" because less processing of packets > > not sure if "table inet raw" hast the same semantic (before conntrack, > before routing)" but if it can have a postrouting hook i doubt because > that's not possible for "-t raw" in iptables given that in this table > there is no routing decision possible > > look at the image to get a picture, i can't help with nfstables itself > https://stuffphilwrites.com/wp-content/uploads/2014/09/FW-IDS-iptables-Flowchart-v2019-04-30-1.png
