Re: VPN nftables

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



On Thu, 10 Oct 2024, at 8:25 PM, Martin Brampton wrote:
> Thanks. Unfortunately that doesn't help.
>
> In fact, it seems that installing and configuring nftables destroys openvpn.

In your initial post, you describe your problem as not being able to access any services. That does not amount to a concrete description of a test case. Upon your peer being connected, what exactly have you tried where the outcome is not as expected? What were the diagnostic messages reported, if any? If you were to focus on - and detail - a particular scenario, it could make it easier for other readers to help you diagnose the underlying problem.

Additionally, you may find it beneficial to define a rule that enables the nftrace mode for packets of interest. That is, those that you suspect are being erroneously dropped. I usually do so in a prerouting hook. For example:

chain prerouting {
    type filter hook prerouting priority raw; policy accept;

    # Trace any TCP packet arriving that is destined for port 22 at any host
    tcp dport 22 meta nftrace set 1
}

You may then run "nft monitor trace" and observe the trajectory of the packet(s) through your ruleset in real time.

-- 
Kerin Millar




[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux