Server Fault Asked on January 3, 2022
With iptables I can change the for example INPUT policy with iptables -P INPUT DROP to drop. Is there any option to do the same with nft?
Editing /etc/nftables.conf would work of course but that is not what I want.
Yes you can redefine an already existing base chain's policy without changing its content. There's no separate keyword for this, it's still add:
nft add chain family mytable mychain '{ policy drop; }'
Complete example in a namespace:
test.nft:
flush ruleset
table ip t {
chain c {
type filter hook output priority 0; policy accept;
oif lo accept
counter
}
}
setup:
# ip netns add test
# ip netns exec test nft -f test.nft
alteration:
# ip netns exec test nft add 'chain ip t c { policy drop; }'
# ip netns exec test nft list ruleset
table ip t {
chain c {
type filter hook output priority filter; policy drop;
oif "lo" accept
counter packets 0 bytes 0
}
}
The policy was changed, without altering the rules. Using here nft 0.9.5 and kernel 5.7.x . Depending on version behaviour might differ.
There's a kernel commit from 2015 allowing to do only this:
netfilter: nf_tables: allow to change chain policy without hook if it exists
If there's an existing base chain, we have to allow to change the default policy without indicating the hook information.
However, if the chain doesn't exists, we have to enforce the presence of the hook attribute.
Signed-off-by: Pablo Neira Ayuso [email protected]
Before this (around kernel 4.1), one had to provide again the base chain definition (which can't be changed by the way):
# ip netns exec test nft add 'chain ip t c { type filter hook output priority 0; policy drop; }'
Answered by A.B on January 3, 2022
Get help from others!
Recent Questions
Recent Answers
© 2024 TransWikia.com. All rights reserved. Sites we Love: PCI Database, UKBizDB, Menu Kuliner, Sharing RPP