<html>
<head>
<base href="https://bugzilla.netfilter.org/">
</head>
<body>
<p>
<div>
<b><a class="bz_bug_link
bz_status_REOPENED "
title="REOPENED - Error: COMMAND_FAILED: 'python-nftables' failed"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1777#c15">Comment # 15</a>
on <a class="bz_bug_link
bz_status_REOPENED "
title="REOPENED - Error: COMMAND_FAILED: 'python-nftables' failed"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1777">bug 1777</a>
from <span class="vcard"><a class="email" href="mailto:fs3000@proton.me" title="fs3000@proton.me">fs3000@proton.me</a>
</span></b>
<pre>This is the original /etc/nftables.conf right after a clean install. "nft list
ruleset" is empy. The nftables service is inactive.
root@bpi-r4 /root $ cat /etc/nftables.conf
#!/usr/sbin/nft -f
define iflan="lanbr0"
define ifinternal={$iflan,"wlan0","wlan1"}
#define ifwan="ppp0"
define ifwan="ppp8"
define ifexternal={"wan",$ifwan,"ppp9"}
flush ruleset
table inet filter {
# flowtable f {
# hook ingress priority filter
# devices = { lan0, lan1, lan2, lan3, wan }
# #devices = { lan0, lan1, lan2, lan3, wan, wlan0, wlan1 }
# flags offload
# }
chain input {
type filter hook input priority filter;policy drop;
iifname "lo" accept comment "accept loopback"
limit rate 5/second icmp type {echo-request, echo-reply} accept
comment "limit icmp to 5/s"
tcp dport ssh limit rate 10/second accept comment "limit SSH"
#iifname $ifinternal tcp dport ssh limit rate 10/second accept
comment "limit SSH"
ct state { established, related } accept comment "allow
connections initiated"
iifname $ifinternal accept comment "allow traffic from internal
interfaces"
tcp sport ftp-data ct state established,related accept comment
"allow active/passive FTP"
#reject
}
chain forward {
type filter hook forward priority filter;policy drop;
ct state invalid counter drop comment "early drop of invalid
packets"
#ct state {established,related} accept comment "allow
connections initiated"
#limit rate 5/second icmp type { echo-reply, echo-request }
accept comment "limit icmp to 5/s"
oifname $ifexternal tcp flags syn tcp option maxseg size set rt
mtu
#split new connections from known, syn-ack=ct-established
ct state vmap { established : jump forward-known, related :
jump forward-known, new : jump forward-new }
}
chain forward-new {
#oifname $ifexternal ip saddr $iprangesblocked reject comment
"block internal ip ranges to have only internal access"
#oifname $ifwan tcp dport domain reject comment "block external
dns in forward"
#limit rate 10/minute counter log prefix "NF-FWD-NEW: " level
debug
#int <=> ext
iifname $ifinternal oifname $ifinternal accept comment "allow
int => int"
iifname $ifinternal oifname $ifexternal accept comment "allow
int => ext"
iifname $ifexternal oifname $ifinternal ct state
established,related accept comment "allow ext => int (only
established/related)"
}
chain forward-known {
# ct state established flow offload @f counter
accept
}
chain output {
type filter hook output priority filter;
}
}
table ip nat {
chain postrouting {
type nat hook postrouting priority srcnat; policy accept;
oifname $ifexternal masquerade comment "NAT on all external
interfaces"
}
}
include "/etc/nftables/*.nft"</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>