folliehiyuki
/
dotfiles
Archived
2
1
Fork 0
Code Issues Pull Requests Releases Activity

nftables: move nat to another table for visibility

This commit is contained in:
Hoang Nguyen 2021-06-22 02:12:04 +03:00
parent 85b24cdbe7
commit 7dfc942338
No known key found for this signature in database
GPG Key ID: 813CF484F4993419
1 changed files with 7 additions and 5 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

12
system/etc/nftables.conf
View File

@ -34,11 +34,7 @@ table inet filter {
iifname "virbr0" counter reject with icmpx type port-unreachable iifname "virbr0" counter reject with icmpx type port-unreachable
} }
chain libvirt_postrouting { # Default to drop all inbound traffic, unless they meet the criteria
ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter masquerade
}
# Default to drop all inbound traffic, unless they meet our criteria
chain input { chain input {
type filter hook input priority 0; policy drop; type filter hook input priority 0; policy drop;
@ -131,6 +127,12 @@ table inet filter {
counter comment "Count accepted packets" counter comment "Count accepted packets"
#log prefix "[nftables] Outbound Accepted: " flags all counter accept #log prefix "[nftables] Outbound Accepted: " flags all counter accept
} }
}
table inet nat {
chain libvirt_postrouting {
ip saddr 192.168.122.0/24 ip daddr != 192.168.122.0/24 counter masquerade
}
chain postrouting { chain postrouting {
type nat hook postrouting priority 100; policy accept; type nat hook postrouting priority 100; policy accept;