iptables: switch from iptables-legacy to iptables-nftables-compat #81172
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
|
This is how it looks like on my NAS: % iptables-save
# Generated by iptables-save v1.8.4 on Fri Feb 28 14:46:29 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:nixos-fw-accept - [0:0]
:nixos-fw-refuse - [0:0]
:nixos-fw-log-refuse - [0:0]
:nixos-fw - [0:0]
:DOCKER - [0:0]
:DOCKER-ISOLATION-STAGE-1 - [0:0]
:DOCKER-ISOLATION-STAGE-2 - [0:0]
:DOCKER-USER - [0:0]
-A INPUT -s X.X.X.X/32 -p tcp -m tcp --dport 6600 -j ACCEPT
-A INPUT -s X.X.X.X/32 -p tcp -m tcp --dport 6600 -j ACCEPT
-A INPUT -s X.X.X.X/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -s X.X.X.X/32 -p tcp -m tcp --dport 22 -j ACCEPT
-A INPUT -j nixos-fw
-A FORWARD -j DOCKER-USER
-A FORWARD -j DOCKER-ISOLATION-STAGE-1
-A FORWARD -o docker0 -m conntrack --ctstate RELATED,ESTABLISHED -j ACCEPT
-A FORWARD -o docker0 -j DOCKER
-A FORWARD -i docker0 ! -o docker0 -j ACCEPT
-A FORWARD -i docker0 -o docker0 -j ACCEPT
-A nixos-fw-accept -j ACCEPT
-A nixos-fw-refuse -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset
-A nixos-fw-refuse -j REJECT --reject-with icmp-port-unreachable
-A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j nixos-fw-refuse
-A nixos-fw-log-refuse -j nixos-fw-refuse
-A nixos-fw -i docker0 -j nixos-fw-accept
-A nixos-fw -i docker0 -j nixos-fw-accept
-A nixos-fw -i ztuze5qw7u -j nixos-fw-accept
-A nixos-fw -i wg0 -j nixos-fw-accept
-A nixos-fw -i lo -j nixos-fw-accept
-A nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j nixos-fw-accept
-A nixos-fw -p tcp -m tcp --dport 25565 -j nixos-fw-accept
-A nixos-fw -p tcp -m tcp --dport 37031 -j nixos-fw-accept
-A nixos-fw -p udp -m udp --dport 9993 -j nixos-fw-accept
-A nixos-fw -p udp -m udp --dport 25565 -j nixos-fw-accept
-A nixos-fw -p udp -m udp --dport 37031 -j nixos-fw-accept
-A nixos-fw -p udp -m udp --dport 51820 -j nixos-fw-accept
-A nixos-fw -p icmp -m icmp --icmp-type 8 -j nixos-fw-accept
-A nixos-fw -j nixos-fw-log-refuse
-A DOCKER-ISOLATION-STAGE-1 -i docker0 ! -o docker0 -j DOCKER-ISOLATION-STAGE-2
-A DOCKER-ISOLATION-STAGE-1 -j RETURN
-A DOCKER-ISOLATION-STAGE-2 -o docker0 -j DROP
-A DOCKER-ISOLATION-STAGE-2 -j RETURN
-A DOCKER-USER -j RETURN
COMMIT
# Completed on Fri Feb 28 14:46:29 2020
# Generated by iptables-save v1.8.4 on Fri Feb 28 14:46:29 2020
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:nixos-fw-rpfilter - [0:0]
-A PREROUTING -j nixos-fw-rpfilter
-A nixos-fw-rpfilter -m rpfilter --validmark -j RETURN
-A nixos-fw-rpfilter -p udp -m udp --sport 67 --dport 68 -j RETURN
-A nixos-fw-rpfilter -s 0.0.0.0/32 -d 255.255.255.255/32 -p udp -m udp --sport 68 --dport 67 -j RETURN
-A nixos-fw-rpfilter -j DROP
COMMIT
# Completed on Fri Feb 28 14:46:29 2020
# Generated by iptables-save v1.8.4 on Fri Feb 28 14:46:29 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:nixos-nat-pre - [0:0]
:nixos-nat-post - [0:0]
:nixos-nat-out - [0:0]
:DOCKER - [0:0]
-A PREROUTING -j nixos-nat-pre
-A PREROUTING -m addrtype --dst-type LOCAL -j DOCKER
-A POSTROUTING -s 172.17.0.0/16 ! -o docker0 -j MASQUERADE
-A POSTROUTING -j nixos-nat-post
-A OUTPUT -j nixos-nat-out
-A OUTPUT ! -d 127.0.0.0/8 -m addrtype --dst-type LOCAL -j DOCKER
-A nixos-nat-pre -i wg0 -j MARK --set-xmark 0x1/0xffffffff
-A nixos-nat-post -m mark --mark 0x1 -j MASQUERADE
-A nixos-nat-post -s 10.100.0.0/24 -j MASQUERADE
-A DOCKER -i docker0 -j RETURN
COMMIT
# Completed on Fri Feb 28 14:46:29 2020
% ip6tables-save
# Generated by ip6tables-save v1.8.4 on Fri Feb 28 14:46:35 2020
*filter
:INPUT ACCEPT [0:0]
:FORWARD ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:nixos-fw-accept - [0:0]
:nixos-fw-refuse - [0:0]
:nixos-fw-log-refuse - [0:0]
:nixos-fw - [0:0]
-A INPUT -j nixos-fw
-A nixos-fw-accept -j ACCEPT
-A nixos-fw-refuse -p tcp -m tcp ! --tcp-flags FIN,SYN,RST,ACK SYN -j REJECT --reject-with tcp-reset
-A nixos-fw-refuse -j REJECT --reject-with icmp6-port-unreachable
-A nixos-fw-log-refuse -m pkttype ! --pkt-type unicast -j nixos-fw-refuse
-A nixos-fw-log-refuse -j nixos-fw-refuse
-A nixos-fw -i docker0 -j nixos-fw-accept
-A nixos-fw -i docker0 -j nixos-fw-accept
-A nixos-fw -i ztuze5qw7u -j nixos-fw-accept
-A nixos-fw -i wg0 -j nixos-fw-accept
-A nixos-fw -i lo -j nixos-fw-accept
-A nixos-fw -m conntrack --ctstate RELATED,ESTABLISHED -j nixos-fw-accept
-A nixos-fw -p tcp -m tcp --dport 25565 -j nixos-fw-accept
-A nixos-fw -p tcp -m tcp --dport 37031 -j nixos-fw-accept
-A nixos-fw -p udp -m udp --dport 9993 -j nixos-fw-accept
-A nixos-fw -p udp -m udp --dport 25565 -j nixos-fw-accept
-A nixos-fw -p udp -m udp --dport 37031 -j nixos-fw-accept
-A nixos-fw -p udp -m udp --dport 51820 -j nixos-fw-accept
-A nixos-fw -p ipv6-icmp -m icmp6 --icmpv6-type 137 -j DROP
-A nixos-fw -p ipv6-icmp -m icmp6 --icmpv6-type 139 -j DROP
-A nixos-fw -p ipv6-icmp -j nixos-fw-accept
-A nixos-fw -d fe80::/64 -p udp -m udp --dport 546 -j nixos-fw-accept
-A nixos-fw -j nixos-fw-log-refuse
COMMIT
# Completed on Fri Feb 28 14:46:35 2020
# Generated by ip6tables-save v1.8.4 on Fri Feb 28 14:46:35 2020
*raw
:PREROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:nixos-fw-rpfilter - [0:0]
-A PREROUTING -j nixos-fw-rpfilter
-A nixos-fw-rpfilter -m rpfilter --validmark -j RETURN
-A nixos-fw-rpfilter -j DROP
COMMIT
# Completed on Fri Feb 28 14:46:35 2020
# Generated by ip6tables-save v1.8.4 on Fri Feb 28 14:46:35 2020
*nat
:PREROUTING ACCEPT [0:0]
:INPUT ACCEPT [0:0]
:POSTROUTING ACCEPT [0:0]
:OUTPUT ACCEPT [0:0]
:nixos-nat-pre - [0:0]
:nixos-nat-post - [0:0]
:nixos-nat-out - [0:0]
-A PREROUTING -j nixos-nat-pre
-A POSTROUTING -j nixos-nat-post
-A OUTPUT -j nixos-nat-out
COMMIT
# Completed on Fri Feb 28 14:46:35 2020
% nft list ruleset
table ip filter {
chain INPUT {
type filter hook input priority filter; policy accept;
meta l4proto tcp ip saddr X.X.X.X # xt_tcp counter packets 0 bytes 0 accept
meta l4proto tcp ip saddr X.X.X.X # xt_tcp counter packets 0 bytes 0 accept
meta l4proto tcp ip saddr X.X.X.X # xt_tcp counter packets 0 bytes 0 accept
meta l4proto tcp ip saddr X.X.X.X # xt_tcp counter packets 0 bytes 0 accept
counter packets 3731 bytes 448421 jump nixos-fw
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 0 bytes 0 jump DOCKER-USER
counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-1
oifname "docker0" # xt_conntrack counter packets 0 bytes 0 accept
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 accept
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
}
chain nixos-fw-accept {
counter packets 3602 bytes 428635 accept
}
chain nixos-fw-refuse {
meta l4proto tcp # xt_tcp counter packets 5 bytes 200 # xt_REJECT
counter packets 124 bytes 19586 # xt_REJECT
}
chain nixos-fw-log-refuse {
# xt_pkttype counter packets 45 bytes 6295 jump nixos-fw-refuse
counter packets 84 bytes 13491 jump nixos-fw-refuse
}
chain nixos-fw {
iifname "docker0" counter packets 0 bytes 0 jump nixos-fw-accept
iifname "docker0" counter packets 0 bytes 0 jump nixos-fw-accept
iifname "ztuze5qw7u" counter packets 60 bytes 3600 jump nixos-fw-accept
iifname "wg0" counter packets 0 bytes 0 jump nixos-fw-accept
iifname "lo" counter packets 285 bytes 29689 jump nixos-fw-accept
# xt_conntrack counter packets 1749 bytes 273556 jump nixos-fw-accept
meta l4proto tcp # xt_tcp counter packets 0 bytes 0 jump nixos-fw-accept
meta l4proto tcp # xt_tcp counter packets 671 bytes 35032 jump nixos-fw-accept
meta l4proto udp # xt_udp counter packets 4 bytes 602 jump nixos-fw-accept
meta l4proto udp # xt_udp counter packets 0 bytes 0 jump nixos-fw-accept
meta l4proto udp # xt_udp counter packets 832 bytes 86072 jump nixos-fw-accept
meta l4proto udp # xt_udp counter packets 0 bytes 0 jump nixos-fw-accept
meta l4proto icmp # xt_icmp counter packets 1 bytes 84 jump nixos-fw-accept
counter packets 129 bytes 19786 jump nixos-fw-log-refuse
}
chain DOCKER {
}
chain DOCKER-ISOLATION-STAGE-1 {
iifname "docker0" oifname != "docker0" counter packets 0 bytes 0 jump DOCKER-ISOLATION-STAGE-2
counter packets 0 bytes 0 return
}
chain DOCKER-ISOLATION-STAGE-2 {
oifname "docker0" counter packets 0 bytes 0 drop
counter packets 0 bytes 0 return
}
chain DOCKER-USER {
counter packets 0 bytes 0 return
}
}
table ip6 filter {
chain INPUT {
type filter hook input priority filter; policy accept;
counter packets 1555 bytes 118695 jump nixos-fw
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
}
chain nixos-fw-accept {
counter packets 1555 bytes 118695 accept
}
chain nixos-fw-refuse {
meta l4proto tcp # xt_tcp counter packets 0 bytes 0 # xt_REJECT
counter packets 0 bytes 0 # xt_REJECT
}
chain nixos-fw-log-refuse {
# xt_pkttype counter packets 0 bytes 0 jump nixos-fw-refuse
counter packets 0 bytes 0 jump nixos-fw-refuse
}
chain nixos-fw {
iifname "docker0" counter packets 0 bytes 0 jump nixos-fw-accept
iifname "docker0" counter packets 0 bytes 0 jump nixos-fw-accept
iifname "ztuze5qw7u" counter packets 1435 bytes 110239 jump nixos-fw-accept
iifname "wg0" counter packets 0 bytes 0 jump nixos-fw-accept
iifname "lo" counter packets 120 bytes 8456 jump nixos-fw-accept
# xt_conntrack counter packets 0 bytes 0 jump nixos-fw-accept
meta l4proto tcp # xt_tcp counter packets 0 bytes 0 jump nixos-fw-accept
meta l4proto tcp # xt_tcp counter packets 0 bytes 0 jump nixos-fw-accept
meta l4proto udp # xt_udp counter packets 0 bytes 0 jump nixos-fw-accept
meta l4proto udp # xt_udp counter packets 0 bytes 0 jump nixos-fw-accept
meta l4proto udp # xt_udp counter packets 0 bytes 0 jump nixos-fw-accept
meta l4proto udp # xt_udp counter packets 0 bytes 0 jump nixos-fw-accept
meta l4proto ipv6-icmp # xt_icmp6 counter packets 0 bytes 0 drop
meta l4proto ipv6-icmp # xt_icmp6 counter packets 0 bytes 0 drop
meta l4proto ipv6-icmp counter packets 0 bytes 0 jump nixos-fw-accept
meta l4proto udp ip6 daddr fe80::/64 # xt_udp counter packets 0 bytes 0 jump nixos-fw-accept
counter packets 0 bytes 0 jump nixos-fw-log-refuse
}
}
table ip raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
counter packets 3780 bytes 454717 jump nixos-fw-rpfilter
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
}
chain nixos-fw-rpfilter {
# xt_rpfilter counter packets 3776 bytes 454040 return
meta l4proto udp # xt_udp counter packets 0 bytes 0 return
meta l4proto udp ip saddr 0.0.0.0 ip daddr 255.255.255.255 # xt_udp counter packets 0 bytes 0 return
counter packets 4 bytes 677 drop
}
}
table ip6 raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
counter packets 1555 bytes 118695 jump nixos-fw-rpfilter
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
}
chain nixos-fw-rpfilter {
# xt_rpfilter counter packets 1555 bytes 118695 return
counter packets 0 bytes 0 drop
}
}
table ip nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
counter packets 1423 bytes 121656 jump nixos-nat-pre
# xt_addrtype counter packets 675 bytes 51804 jump DOCKER
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 0 bytes 0 # xt_MASQUERADE
counter packets 271 bytes 25574 jump nixos-nat-post
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
counter packets 271 bytes 25574 jump nixos-nat-out
ip daddr != 127.0.0.0/8 # xt_addrtype counter packets 0 bytes 0 jump DOCKER
}
chain nixos-nat-pre {
iifname "wg0" counter packets 0 bytes 0 # xt_MARK
}
chain nixos-nat-post {
# xt_mark counter packets 0 bytes 0 # xt_MASQUERADE
ip saddr 10.100.0.0/24 counter packets 21 bytes 3465 # xt_MASQUERADE
}
chain nixos-nat-out {
}
chain DOCKER {
iifname "docker0" counter packets 0 bytes 0 return
}
}
table ip6 nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
counter packets 61 bytes 4960 jump nixos-nat-pre
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
counter packets 61 bytes 4840 jump nixos-nat-post
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
counter packets 61 bytes 4840 jump nixos-nat-out
}
chain nixos-nat-pre {
}
chain nixos-nat-post {
}
chain nixos-nat-out {
}
}Note that some entries is not displayed correctly. |
|
% nft list ruleset
table ip filter {
chain INPUT {
type filter hook input priority filter; policy accept;
meta l4proto tcp ip saddr X.X.X.X tcp dport 6600 counter packets 0 bytes 0 accept
meta l4proto tcp ip saddr X.X.X.X tcp dport 6600 counter packets 947 bytes 72714 accept
meta l4proto tcp ip saddr X.X.X.X tcp dport 22 counter packets 0 bytes 0 accept
meta l4proto tcp ip saddr X.X.X.X tcp dport 22 counter packets 0 bytes 0 accept
counter packets 105754692 bytes 7736336680 jump nixos-fw
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
counter packets 635548 bytes 558895063 jump DOCKER-USER
counter packets 635548 bytes 558895063 jump DOCKER-ISOLATION-STAGE-1
oifname "docker0" ct state related,established counter packets 237579 bytes 345586224 accept
oifname "docker0" counter packets 0 bytes 0 jump DOCKER
iifname "docker0" oifname != "docker0" counter packets 153745 bytes 21586807 accept
iifname "docker0" oifname "docker0" counter packets 0 bytes 0 accept
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
}
chain nixos-fw-accept {
counter packets 105587858 bytes 7722170131 accept
}
chain nixos-fw-refuse {
meta l4proto tcp tcp flags & (fin|syn|rst|ack) != syn counter packets 19533 bytes 1354709 reject with tcp reset
counter packets 147301 bytes 12811840 reject
}
chain nixos-fw-log-refuse {
pkttype != unicast counter packets 53770 bytes 7484137 jump nixos-fw-refuse
counter packets 113064 bytes 6682412 jump nixos-fw-refuse
}
chain nixos-fw {
iifname "docker0" counter packets 739 bytes 47466 jump nixos-fw-accept
iifname "docker0" counter packets 0 bytes 0 jump nixos-fw-accept
iifname "ztuze5qw7u" counter packets 1811581 bytes 95121262 jump nixos-fw-accept
iifname "wg0" counter packets 0 bytes 0 jump nixos-fw-accept
iifname "lo" counter packets 326853 bytes 51586185 jump nixos-fw-accept
ct state related,established counter packets 102619721 bytes 7501147392 jump nixos-fw-accept
meta l4proto tcp tcp dport 25565 counter packets 0 bytes 0 jump nixos-fw-accept
meta l4proto tcp tcp dport 37031 counter packets 231280 bytes 12622792 jump nixos-fw-accept
meta l4proto udp udp dport 9993 counter packets 2202 bytes 130465 jump nixos-fw-accept
meta l4proto udp udp dport 25565 counter packets 0 bytes 0 jump nixos-fw-accept
meta l4proto udp udp dport 37031 counter packets 594480 bytes 61452711 jump nixos-fw-accept
meta l4proto udp udp dport 51820 counter packets 5 bytes 1044 jump nixos-fw-accept
meta l4proto icmp icmp type echo-request counter packets 997 bytes 60814 jump nixos-fw-accept
counter packets 166834 bytes 14166549 jump nixos-fw-log-refuse
}
chain DOCKER {
}
chain DOCKER-ISOLATION-STAGE-1 {
iifname "docker0" oifname != "docker0" counter packets 153745 bytes 21586807 jump DOCKER-ISOLATION-STAGE-2
counter packets 635548 bytes 558895063 return
}
chain DOCKER-ISOLATION-STAGE-2 {
oifname "docker0" counter packets 0 bytes 0 drop
counter packets 153745 bytes 21586807 return
}
chain DOCKER-USER {
counter packets 635548 bytes 558895063 return
}
}
table ip6 filter {
chain INPUT {
type filter hook input priority filter; policy accept;
counter packets 3938252 bytes 823985400 jump nixos-fw
}
chain FORWARD {
type filter hook forward priority filter; policy accept;
}
chain OUTPUT {
type filter hook output priority filter; policy accept;
}
chain nixos-fw-accept {
counter packets 3938239 bytes 823984620 accept
}
chain nixos-fw-refuse {
meta l4proto tcp tcp flags & (fin|syn|rst|ack) != syn counter packets 13 bytes 780 reject with tcp reset
counter packets 0 bytes 0 reject
}
chain nixos-fw-log-refuse {
pkttype != unicast counter packets 0 bytes 0 jump nixos-fw-refuse
counter packets 13 bytes 780 jump nixos-fw-refuse
}
chain nixos-fw {
iifname "docker0" counter packets 0 bytes 0 jump nixos-fw-accept
iifname "docker0" counter packets 0 bytes 0 jump nixos-fw-accept
iifname "ztuze5qw7u" counter packets 1548445 bytes 111985631 jump nixos-fw-accept
iifname "wg0" counter packets 0 bytes 0 jump nixos-fw-accept
iifname "lo" counter packets 120 bytes 8456 jump nixos-fw-accept
ct state related,established counter packets 2389674 bytes 711990533 jump nixos-fw-accept
meta l4proto tcp tcp dport 25565 counter packets 0 bytes 0 jump nixos-fw-accept
meta l4proto tcp tcp dport 37031 counter packets 0 bytes 0 jump nixos-fw-accept
meta l4proto udp udp dport 9993 counter packets 0 bytes 0 jump nixos-fw-accept
meta l4proto udp udp dport 25565 counter packets 0 bytes 0 jump nixos-fw-accept
meta l4proto udp udp dport 37031 counter packets 0 bytes 0 jump nixos-fw-accept
meta l4proto udp udp dport 51820 counter packets 0 bytes 0 jump nixos-fw-accept
meta l4proto ipv6-icmp icmpv6 type nd-redirect counter packets 0 bytes 0 drop
meta l4proto ipv6-icmp icmpv6 type counter packets 0 bytes 0 drop
meta l4proto ipv6-icmp counter packets 0 bytes 0 jump nixos-fw-accept
meta l4proto udp ip6 daddr fe80::/64 udp dport 546 counter packets 0 bytes 0 jump nixos-fw-accept
counter packets 13 bytes 780 jump nixos-fw-log-refuse
}
}
table ip raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
counter packets 106472347 bytes 8304773729 jump nixos-fw-rpfilter
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
}
chain nixos-fw-rpfilter {
fib saddr . mark . iif oif != 0 counter packets 106460273 bytes 8303018760 return
meta l4proto udp udp sport 67 udp dport 68 counter packets 0 bytes 0 return
meta l4proto udp ip saddr 0.0.0.0 ip daddr 255.255.255.255 udp sport 68 udp dport 67 counter packets 0 bytes 0 return
counter packets 12074 bytes 1754969 drop
}
}
table ip6 raw {
chain PREROUTING {
type filter hook prerouting priority raw; policy accept;
counter packets 3938252 bytes 823985400 jump nixos-fw-rpfilter
}
chain OUTPUT {
type filter hook output priority raw; policy accept;
}
chain nixos-fw-rpfilter {
fib saddr . mark . iif oif != 0 counter packets 3938252 bytes 823985400 return
counter packets 0 bytes 0 drop
}
}
table ip nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
counter packets 919831 bytes 86687828 jump nixos-nat-pre
fib daddr type local counter packets 794253 bytes 71267200 jump DOCKER
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
oifname != "docker0" ip saddr 172.17.0.0/16 counter packets 6475 bytes 375721 masquerade
counter packets 738425 bytes 69618796 jump nixos-nat-post
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
counter packets 742600 bytes 69808184 jump nixos-nat-out
ip daddr != 127.0.0.0/8 fib daddr type local counter packets 22087 bytes 1262082 jump DOCKER
}
chain nixos-nat-pre {
iifname "wg0" counter packets 1235 bytes 116346 meta mark set 0x1
}
chain nixos-nat-post {
mark 0x1 counter packets 1235 bytes 116346 masquerade
ip saddr 10.100.0.0/24 counter packets 33514 bytes 3395481 masquerade
}
chain nixos-nat-out {
}
chain DOCKER {
iifname "docker0" counter packets 47 bytes 2820 return
}
}
table ip6 nat {
chain PREROUTING {
type nat hook prerouting priority dstnat; policy accept;
counter packets 1243 bytes 99416 jump nixos-nat-pre
}
chain INPUT {
type nat hook input priority 100; policy accept;
}
chain POSTROUTING {
type nat hook postrouting priority srcnat; policy accept;
counter packets 65152 bytes 5212120 jump nixos-nat-post
}
chain OUTPUT {
type nat hook output priority -100; policy accept;
counter packets 65152 bytes 5212120 jump nixos-nat-out
}
chain nixos-nat-pre {
}
chain nixos-nat-post {
}
chain nixos-nat-out {
}
} |
10 tasks
misuzu
force-pushed
the
iptables-switch
branch
2 times, most recently
from
c9888d1
to
81fbb2f
Compare
|
Сhecked on home server - working. |
Mic92
reviewed
Apr 2, 2020
|
Can you give this a rebase? Than I will merge it. |
Done! |
Mic92
reviewed
Apr 28, 2020
|
A different question are |
|
systemd uses |
Izorkin
approved these changes
Oct 8, 2021
misuzu
force-pushed
the
iptables-switch
branch
from
a0b7829
to
f898fde
Compare
Izorkin
approved these changes
Oct 10, 2021
|
Let's see what this will break 😆 |
|
сс @misuzu @flokli for some reason this change is not in the master branch: commit 311806c044ae787b182fa919ea14467adafd6fbb
Author: misuzu <bakalolka@gmail.com>
AuthorDate: Wed Sep 15 08:57:19 2021 +0300
Commit: Izorkin <izorkin@elven.pw>
CommitDate: Tue Nov 2 10:36:46 2021 +0300
nixos/libvirtd: use /etc/ethertypes from iptables package
---
nixos/modules/virtualisation/libvirtd.nix | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/nixos/modules/virtualisation/libvirtd.nix b/nixos/modules/virtualisation/libvirtd.nix
index 121e7286bc1..ab87394a30e 100644
--- a/nixos/modules/virtualisation/libvirtd.nix
+++ b/nixos/modules/virtualisation/libvirtd.nix
@@ -254,7 +254,7 @@ in
"allow ${e}")
cfg.allowedBridges;
systemPackages = with pkgs; [ libressl.nc iptables cfg.package cfg.qemu.package ];
- etc.ethertypes.source = "${pkgs.ebtables}/etc/ethertypes";
+ etc.ethertypes.source = "${pkgs.iptables}/etc/ethertypes";
};
boot.kernelModules = [ "tun" ];
|
12 tasks
|
сс @misuzu other change has all reached the master branch? |
Other changes seem to be there. |
|
Maybe something went wrong when resolving conflicts during the staging cycle. Can you file a PR towards master, that brings this again? (Linking to the context here in the commit message)
|
misuzu
added a commit
to misuzu/nixpkgs
that referenced
this pull request
Nov 2, 2021
This change is part of NixOS#81172 and must have been lost during staging cycle.
mkg20001
added a commit
to mkg20001/nixpkgs
that referenced
this pull request
Nov 3, 2021
12 tasks
10 tasks
This was referenced Feb 22, 2022
12 tasks
12 tasks
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Motivation for this change
iptables-nftables-compattransparently convertsiptablesrules tonftrules. This should ease the migration tonftables.Debian and Fedora already switched to
iptables-nftables-compatby default.Related: #23181
https://wiki.nftables.org/wiki-nftables/index.php/Moving_from_iptables_to_nftables
https://www.redhat.com/en/blog/using-iptables-nft-hybrid-linux-firewall
Things done
sandboxinnix.confon non-NixOS linux)nix-shell -p nixpkgs-review --run "nixpkgs-review wip"./result/bin/)nix path-info -Sbefore and after)