From mboxrd@z Thu Jan 1 00:00:00 1970 From: Pablo Neira Ayuso Subject: Re: Re: Re: Re: Re: Re: Re: Flowtable with ppp/bridge Date: Mon, 10 May 2021 10:24:59 +0200 Message-ID: <20210510082459.GA23639@salvia> References: <20210502221122.GA19395@salvia> <20210503213213.GA17087@salvia> <20210504114256.GA6473@salvia> <20210505225516.GB13833@salvia> <20210506155134.GA28034@salvia> Mime-Version: 1.0 Return-path: Content-Disposition: inline In-Reply-To: List-ID: Content-Type: text/plain; charset="us-ascii" Content-Transfer-Encoding: 7bit To: Frank Wunderlich Cc: netfilter@vger.kernel.org On Mon, May 10, 2021 at 08:50:56AM +0200, Frank Wunderlich wrote: > Hi > > > Gesendet: Donnerstag, 06. Mai 2021 um 17:51 Uhr > > Von: "Pablo Neira Ayuso" > > > > > chain FORWARD { > > > > type filter hook forward priority 0; policy drop; > > > > > > > > tcp flags syn tcp option maxseg size set rt mtu > > > > ct state vmap { established : jump FORWARD_established, related : jump FORWARD_established, new : jump FORWARD_new } > > tried this way, seems to work so far, i have only problem on removing my ruleset with iptables (have this to reset my complete firewall, not only nft). > > iptables -X > iptables v1.8.2 (nf_tables): CHAIN_USER_DEL failed (Device or resource busy): chain FORWARD_known > > i guess iptables cannot delete chain cause it is linked by ctstate vmap any idea? In iptables, you have to flush a chain (-F) before you can delete it. Anyway, once you step in to use nftables, it is better if you use native nftables commands to operate, such as: nft flush ruleset > is order important of defined chains? maybe i can move the 2 new > forward-chains below old with "ct state vmap" Not sure what you mean, could you provide an example?