On Mon, May 10, 2021 at 08:50:56AM +0200, Frank Wunderlich wrote:
> Hi
>
> > Gesendet: Donnerstag, 06. Mai 2021 um 17:51 Uhr
> > Von: "Pablo Neira Ayuso" <pablo@xxxxxxxxxxxxx>
>
> > > > chain FORWARD {
> > > > type filter hook forward priority 0; policy drop;
> > > >
> > > > tcp flags syn tcp option maxseg size set rt mtu
> > > > ct state vmap { established : jump FORWARD_established, related : jump FORWARD_established, new : jump FORWARD_new }
>
> tried this way, seems to work so far, i have only problem on removing my ruleset with iptables (have this to reset my complete firewall, not only nft).
>
> iptables -X
> iptables v1.8.2 (nf_tables): CHAIN_USER_DEL failed (Device or resource busy): chain FORWARD_known
>
> i guess iptables cannot delete chain cause it is linked by ctstate vmap any idea?
In iptables, you have to flush a chain (-F) before you can delete it.
Anyway, once you step in to use nftables, it is better if you use
native nftables commands to operate, such as:
nft flush ruleset
> is order important of defined chains? maybe i can move the 2 new
> forward-chains below old with "ct state vmap"
Not sure what you mean, could you provide an example?
