Talk:Nftables/Examples
Before creating a discussion or leaving a comment, please read about using talk pages. To create a new discussion, click here. Comments on an existing discussion should be signed using
~~~~:
A comment [[User:Larry|Larry]] 13:52, 13 May 2024 (UTC) : A reply [[User:Sally|Sally]] 11:57, 18 March 2025 (UTC) :: Your reply ~~~~
Which directory should hold nftables rules
I guess that /etc/nftables is the suitable directory for nftables rules instead of /etc/conf.d/ as suggested in the examples. I am happy to modify the path if this is the case. Joan (Mimosinnet) --Mimosinnet 20:59, 4 August 2017 (UTC)
- Sounds wonderful. Please update. --Grknight (talk) 17:42, 8 November 2018 (UTC)
- Done! Joan (Mimosinnet) --Mimosinnet 00:22, 13 April 2019 (UTC)
- I disagree with a glimpse to other distributions as well as nftables wiki. Current rule set is stored to /var/lib/nftables/rules_save when using OpenRC/ /etc/init.d/nftables. This is controlled through conf.d/nftables. So either users choose their favorite location or the default of the init script (and systemd variant) are changed upstream. (added this comment after the talk was marked done) --Onkobu (talk) 18:40, 22 October 2021 (UTC)
- Done! Joan (Mimosinnet) --Mimosinnet 00:22, 13 April 2019 (UTC)
nftables scripting
Some scripting examples in the document use bash. Nevertheless, nftables suggets to use its own native scripting environment. Is it all right to change the Stateful router example to nftables scripting syntax? Joan (Mimosinnet) Mimosinnet 11:55, 2 November 2019 (UTC)
- And the current init script uses numeric mode to store the current rule set. This translates user-written verbose rules and strips off all variables by replacing them with their values (sets remain intact). I can't think of any sane firewall maintainer getting his rules mangled to something very technical. (Some rules change dramatically to very sophisticated expressions the average IP-blocker wouldn't come up with.)
nftables in 2021
Examples lack netdev family for early package dropping to mitigate (D)DoS with light load impact. It is also very uncomfortable to write down a human readable rule set that gets mangled to numeric mode by default (see comment above regarding scripting). Some updating needs to be done as well as consolidation of package defaults.
Questions on the recent "mdns" entries
TitanOfOld, I'm looking at your recent addition of multicast DNS (mDNS) and have a few questions.
- Does nftables have built-in port names? Meaning that the lines
udp dport mdns ip6 daddr ff02::fb counter accept comment "IPv6 mDNS"
udp dport mdns ip daddr 224.0.0.251 counter accept comment "IPv4 mDNS"
translate to
udp dport 5353 ip6 daddr ff02::fb counter accept comment "IPv6 mDNS"
udp dport 5353 ip daddr 224.0.0.251 counter accept comment "IPv4 mDNS"
If so, where can I find the documentation about these built-in port names? If not, then we need to use the actual port number, 5353, for mDNS.
- Is there a way to test mDNS?
Also, I think we should add a note explaining why we add this rule, like how there's a note explaining why we add the ICMP rules. Personally, I'm not 100% sure why. Does it speed up or cache DNS resolves to computers in a local network?
Add a note alongside the note explaining why we add ICMP.
Explanation of why we add mDNS rules[1].
FlyingBullets (talk) 16:31, 17 March 2025 (UTC)