[...]
> THey are not supposed to be there.
>
>> Is this an error on my part? If so what?
>
> Run 'nft monitor' to figure out what adds them.
Thanks.
If I clear the ruleset and wait, while watching 'nft monitor' I get the
following.
# new generation 951 by process 4497 (nft)
add table ip filter
add chain ip filter INPUT { type filter hook input priority 0; policy
accept; }
add chain ip filter FORWARD { type filter hook forward priority 0;
policy accept; }
add chain ip filter OUTPUT { type filter hook output priority 0; policy
accept; }
# new generation 952 by process 4510 (iptables)
# new generation 953 by process 4510 (iptables)
add table ip6 filter
add chain ip6 filter INPUT { type filter hook input priority 0; policy
accept; }
add chain ip6 filter FORWARD { type filter hook forward priority 0;
policy accept; }
add chain ip6 filter OUTPUT { type filter hook output priority 0; policy
accept; }
# new generation 954 by process 4512 (ip6tables)
# new generation 955 by process 4512 (ip6tables)
# new generation 956 by process 4514 (iptables)
# new generation 957 by process 4514 (iptables)
# new generation 958 by process 4516 (ip6tables)
# new generation 959 by process 4516 (ip6tables)
... and so on ...
However, I can't seem to find anything obviously calling ip6tables, the
processes are quite short lived. Then I search for ip6tables in a
script or (ugh) unit file, for example:
# grep -r ip6tables /lib/systemd/*
# grep -r ip6tables /etc/*
Both greps turn up nothing, but something is running and modifying
nftables frequently. It's probably related to the distro so I will dig
into that, if the cause is not already known.
/Lars
