AnswerBun.com

Change policy with nftables on command line

Server Fault Asked on January 3, 2022

With iptables I can change the for example INPUT policy with iptables -P INPUT DROP to drop. Is there any option to do the same with nft?

Editing /etc/nftables.conf would work of course but that is not what I want.

One Answer

Yes you can redefine an already existing base chain's policy without changing its content. There's no separate keyword for this, it's still add:

nft add chain family mytable mychain '{ policy drop; }'

Complete example in a namespace:

test.nft:

flush ruleset

table ip t {
    chain c {
        type filter hook output priority 0; policy accept;
        oif lo accept
        counter
    }
}

setup:

# ip netns add test
# ip netns exec test nft -f test.nft

alteration:

# ip netns exec test nft add 'chain ip t c { policy drop; }'
# ip netns exec test nft list ruleset
table ip t {
    chain c {
        type filter hook output priority filter; policy drop;
        oif "lo" accept
        counter packets 0 bytes 0
    }
}

The policy was changed, without altering the rules. Using here nft 0.9.5 and kernel 5.7.x . Depending on version behaviour might differ.

There's a kernel commit from 2015 allowing to do only this:

netfilter: nf_tables: allow to change chain policy without hook if it exists

If there's an existing base chain, we have to allow to change the default policy without indicating the hook information.

However, if the chain doesn't exists, we have to enforce the presence of the hook attribute.

Signed-off-by: Pablo Neira Ayuso [email protected]

Before this (around kernel 4.1), one had to provide again the base chain definition (which can't be changed by the way):

# ip netns exec test nft add 'chain ip t c { type filter hook output priority 0;  policy drop; }'

Answered by A.B on January 3, 2022

Add your own answers!

Related Questions

Why are only 3 ip xfrm policies needed for a IPsec tunnel?

2  Asked on October 28, 2020 by dorian

   

Install more_set_headers in nginx 1.15.8

3  Asked on October 28, 2020 by curious-sam

         

Stop and prevent brute force attacks on Ubuntu 14.04

2  Asked on October 27, 2020 by joo-cerqueira

     

Virtual-kubelet install fail, missing file?

0  Asked on October 22, 2020 by l-minh-qun

 

Setup ssl on nginx for a django project

1  Asked on October 16, 2020 by mohammad-mahzoun

       

Nginx: How do I forward an HTTP request to another port?

4  Asked on October 13, 2020 by wooohaaaa

 

Where is IIS Manager for Remote Administration for Windows 10?

0  Asked on October 9, 2020 by soleil-mathieu-prvot

     

zywall usg 100 log website visits

1  Asked on October 5, 2020 by user331495

     

Can’t connect to network share

0  Asked on October 5, 2020 by nebu

   

OpenVPN Install: Can’t access to Client UI page

1  Asked on October 2, 2020 by the-one

 

NGINX Reverse Proxy to Dynamic DNS

1  Asked on September 23, 2020 by tempster102

     

Ask a Question

Get help from others!

© 2023 AnswerBun.com. All rights reserved. Sites we Love: PCI Database, MenuIva, UKBizDB, Menu Kuliner, Sharing RPP, SolveDir