Results 1 to 2 of 2

Thread: nftable : Drop policy applied despite an "accept" rule

  1. #1
    Join Date
    Sep 2024
    Beans
    3

    nftable : Drop policy applied despite an "accept" rule

    Hello,


    I add this rule to allow established connection :


    nft add rule inet filter input ct state established,related accept


    When the input policy is "accept" I can go on the internet.


    But as soon as I set up the policy to "drop" I can't.


    sudo nft add chain inet filter input '{ policy drop; }'


    The policy normally applies when no rules are matched, so I don't understand why.


    Here is my ruleset :




    nicolas@localhost:~/Desktop$ sudo nft list ruleset


    Code:
    table inet filter {
    chain input {
    type filter hook input priority filter; policy drop;
    ct state established,related accept
    }
    
    
    chain forward {
    type filter hook forward priority filter; policy accept;
    }
    
    
    chain output {
    type filter hook output priority filter; policy accept;
    }
    }
    Thanks

  2. #2
    Join Date
    Apr 2014
    Location
    Tucson AZ, USA
    Beans
    1,094
    Distro
    Ubuntu

    Re: nftable : Drop policy applied despite an "accept" rule

    I am hardly an expert on nftables, or iptables as well but if it reads from top to bottom the 2 bottom rules never get to be applied. they are dropped immediately by the first rule.try putting drop on the bottom instead of the top? This assumes it works thte same as iptables does.

Tags for this Thread

Bookmarks

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •