nftables and bridgeDebian network disappearingHow to do Masquerading with NFTablesnftables ip set multiple tablesSet up nftables to only allow connections through a vpn and block all ipv6 trafficNftables configuration error: conflicting protocols specified: inet-service v. icmpInternet access in LXC container with nftablesWhen and how to use chain priorities in nftablesHow to use wildcard in a list with nftablesLinux bridge SNAT with ebtablesNftables rules dissapiered after reboot!

Infinite Abelian subgroup of infinite non Abelian group example

How do I write bicross product symbols in latex?

When a company launches a new product do they "come out" with a new product or do they "come up" with a new product?

Why is Collection not simply treated as Collection<?>

Arrow those variables!

Is it possible to run Internet Explorer on OS X El Capitan?

What does it mean to describe someone as a butt steak?

Today is the Center

Western buddy movie with a supernatural twist where a woman turns into an eagle at the end

I would say: "You are another teacher", but she is a woman and I am a man

In Romance of the Three Kingdoms why do people still use bamboo sticks when paper had already been invented?

Modeling an IP Address

Is it possible to create light that imparts a greater proportion of its energy as momentum rather than heat?

Would Slavery Reparations be considered Bills of Attainder and hence Illegal?

What killed these X2 caps?

Why do I get two different answers for this counting problem?

If human space travel is limited by the G force vulnerability, is there a way to counter G forces?

How do conventional missiles fly?

Emailing HOD to enhance faculty application

Is it canonical bit space?

Can a rocket refuel on Mars from water?

How is it possible to have an ability score that is less than 3?

Facing a paradox: Earnshaw's theorem in one dimension

How can I tell someone that I want to be his or her friend?



nftables and bridge


Debian network disappearingHow to do Masquerading with NFTablesnftables ip set multiple tablesSet up nftables to only allow connections through a vpn and block all ipv6 trafficNftables configuration error: conflicting protocols specified: inet-service v. icmpInternet access in LXC container with nftablesWhen and how to use chain priorities in nftablesHow to use wildcard in a list with nftablesLinux bridge SNAT with ebtablesNftables rules dissapiered after reboot!






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








0















I would like to set firewall with nftables on PC B on interface eth1 (input only). Using whitelisting. Diagram is simplified (there is more VLANs) and everything work fine except bridge.



Requirements:



  • main policy drop

  • allow http (management of switch)

  • allow snmp

And I have problem with first one - main policy drop.



diagram



I found some instruction but it is not working for me. I tried something similar to my table inet filter. Drop all:



table bridge br 
 chain input 
 type filter hook forward priority 0; policy drop;



PC A can still ping to SWITCH and connect to management of SWITCH via http.



  • tried hook input too

  • br99 is standard bridge set up with wicked

  • PCs - OpenSuse 42.3

  • nftables version 0.5

  • table inet has no impact to eth1.99

It is very simplified diagram. There is more switches and pcs in my system. I can not change network. PC A must have connection to the SWITCH. On interface br99 is the same network for snmp for PC A.



EDIT:



With nftables 0.8.2 this configuration works.






firewall bridge nftables







share|improve this question









New contributor




2ndChosenOne is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • rewrote a comment Considering nftables is now at version 0.9, a lot might have changed since 0.5. It's recommended to have kernel >= 4.10 and nftables 0.9 for best results. Anyway Reproducing your setup with network namespaces, applying your nftables file, with nftables 0.9, 1st part is working as intended (nothing leaves through eth1.99 or eth1). A note: nftables cannot do stateful firewalling (contrary to the mix of ebtables+iptables), so you'll have to make rules that don't depend on any conntrack state (could be fine here).

    – A.B
    2 days ago












  • You should document how you made your settings on pc B (using commands like ip link, ip addr, diagnostics with possibly bridge fdb etc).

    – A.B
    2 days ago












  • thanks, you are right. with nftables 0.8.2 configuration works perfect too.

    – 2ndChosenOne
    21 hours ago


















0















I would like to set firewall with nftables on PC B on interface eth1 (input only). Using whitelisting. Diagram is simplified (there is more VLANs) and everything work fine except bridge.



Requirements:



  • main policy drop

  • allow http (management of switch)

  • allow snmp

And I have problem with first one - main policy drop.



diagram



I found some instruction but it is not working for me. I tried something similar to my table inet filter. Drop all:



table bridge br 
 chain input 
 type filter hook forward priority 0; policy drop;



PC A can still ping to SWITCH and connect to management of SWITCH via http.



  • tried hook input too

  • br99 is standard bridge set up with wicked

  • PCs - OpenSuse 42.3

  • nftables version 0.5

  • table inet has no impact to eth1.99

It is very simplified diagram. There is more switches and pcs in my system. I can not change network. PC A must have connection to the SWITCH. On interface br99 is the same network for snmp for PC A.



EDIT:



With nftables 0.8.2 this configuration works.






firewall bridge nftables







share|improve this question









New contributor




2ndChosenOne is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • rewrote a comment Considering nftables is now at version 0.9, a lot might have changed since 0.5. It's recommended to have kernel >= 4.10 and nftables 0.9 for best results. Anyway Reproducing your setup with network namespaces, applying your nftables file, with nftables 0.9, 1st part is working as intended (nothing leaves through eth1.99 or eth1). A note: nftables cannot do stateful firewalling (contrary to the mix of ebtables+iptables), so you'll have to make rules that don't depend on any conntrack state (could be fine here).

    – A.B
    2 days ago












  • You should document how you made your settings on pc B (using commands like ip link, ip addr, diagnostics with possibly bridge fdb etc).

    – A.B
    2 days ago












  • thanks, you are right. with nftables 0.8.2 configuration works perfect too.

    – 2ndChosenOne
    21 hours ago














0












0








0








I would like to set firewall with nftables on PC B on interface eth1 (input only). Using whitelisting. Diagram is simplified (there is more VLANs) and everything work fine except bridge.



Requirements:



  • main policy drop

  • allow http (management of switch)

  • allow snmp

And I have problem with first one - main policy drop.



diagram



I found some instruction but it is not working for me. I tried something similar to my table inet filter. Drop all:



table bridge br 
 chain input 
 type filter hook forward priority 0; policy drop;



PC A can still ping to SWITCH and connect to management of SWITCH via http.



  • tried hook input too

  • br99 is standard bridge set up with wicked

  • PCs - OpenSuse 42.3

  • nftables version 0.5

  • table inet has no impact to eth1.99

It is very simplified diagram. There is more switches and pcs in my system. I can not change network. PC A must have connection to the SWITCH. On interface br99 is the same network for snmp for PC A.



EDIT:



With nftables 0.8.2 this configuration works.






firewall bridge nftables







share|improve this question









New contributor




2ndChosenOne is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












I would like to set firewall with nftables on PC B on interface eth1 (input only). Using whitelisting. Diagram is simplified (there is more VLANs) and everything work fine except bridge.



Requirements:



  • main policy drop

  • allow http (management of switch)

  • allow snmp

And I have problem with first one - main policy drop.



diagram



I found some instruction but it is not working for me. I tried something similar to my table inet filter. Drop all:



table bridge br 
 chain input 
 type filter hook forward priority 0; policy drop;



PC A can still ping to SWITCH and connect to management of SWITCH via http.



  • tried hook input too

  • br99 is standard bridge set up with wicked

  • PCs - OpenSuse 42.3

  • nftables version 0.5

  • table inet has no impact to eth1.99

It is very simplified diagram. There is more switches and pcs in my system. I can not change network. PC A must have connection to the SWITCH. On interface br99 is the same network for snmp for PC A.



EDIT:



With nftables 0.8.2 this configuration works.






firewall bridge nftables




firewall bridge nftables






share|improve this question









New contributor




2ndChosenOne is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




2ndChosenOne is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited 21 hours ago







2ndChosenOne













New contributor




2ndChosenOne is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 2 days ago









2ndChosenOne2ndChosenOne

11




11




New contributor




2ndChosenOne is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





2ndChosenOne is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






2ndChosenOne is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












  • rewrote a comment Considering nftables is now at version 0.9, a lot might have changed since 0.5. It's recommended to have kernel >= 4.10 and nftables 0.9 for best results. Anyway Reproducing your setup with network namespaces, applying your nftables file, with nftables 0.9, 1st part is working as intended (nothing leaves through eth1.99 or eth1). A note: nftables cannot do stateful firewalling (contrary to the mix of ebtables+iptables), so you'll have to make rules that don't depend on any conntrack state (could be fine here).

    – A.B
    2 days ago












  • You should document how you made your settings on pc B (using commands like ip link, ip addr, diagnostics with possibly bridge fdb etc).

    – A.B
    2 days ago












  • thanks, you are right. with nftables 0.8.2 configuration works perfect too.

    – 2ndChosenOne
    21 hours ago


















  • rewrote a comment Considering nftables is now at version 0.9, a lot might have changed since 0.5. It's recommended to have kernel >= 4.10 and nftables 0.9 for best results. Anyway Reproducing your setup with network namespaces, applying your nftables file, with nftables 0.9, 1st part is working as intended (nothing leaves through eth1.99 or eth1). A note: nftables cannot do stateful firewalling (contrary to the mix of ebtables+iptables), so you'll have to make rules that don't depend on any conntrack state (could be fine here).

    – A.B
    2 days ago












  • You should document how you made your settings on pc B (using commands like ip link, ip addr, diagnostics with possibly bridge fdb etc).

    – A.B
    2 days ago












  • thanks, you are right. with nftables 0.8.2 configuration works perfect too.

    – 2ndChosenOne
    21 hours ago

















rewrote a comment Considering nftables is now at version 0.9, a lot might have changed since 0.5. It's recommended to have kernel >= 4.10 and nftables 0.9 for best results. Anyway Reproducing your setup with network namespaces, applying your nftables file, with nftables 0.9, 1st part is working as intended (nothing leaves through eth1.99 or eth1). A note: nftables cannot do stateful firewalling (contrary to the mix of ebtables+iptables), so you'll have to make rules that don't depend on any conntrack state (could be fine here).

– A.B
2 days ago






rewrote a comment Considering nftables is now at version 0.9, a lot might have changed since 0.5. It's recommended to have kernel >= 4.10 and nftables 0.9 for best results. Anyway Reproducing your setup with network namespaces, applying your nftables file, with nftables 0.9, 1st part is working as intended (nothing leaves through eth1.99 or eth1). A note: nftables cannot do stateful firewalling (contrary to the mix of ebtables+iptables), so you'll have to make rules that don't depend on any conntrack state (could be fine here).

– A.B
2 days ago














You should document how you made your settings on pc B (using commands like ip link, ip addr, diagnostics with possibly bridge fdb etc).

– A.B
2 days ago






You should document how you made your settings on pc B (using commands like ip link, ip addr, diagnostics with possibly bridge fdb etc).

– A.B
2 days ago














thanks, you are right. with nftables 0.8.2 configuration works perfect too.

– 2ndChosenOne
21 hours ago






thanks, you are right. with nftables 0.8.2 configuration works perfect too.

– 2ndChosenOne
21 hours ago











0






active

oldest

votes












Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);






2ndChosenOne is a new contributor. Be nice, and check out our Code of Conduct.









draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f510083%2fnftables-and-bridge%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes








2ndChosenOne is a new contributor. Be nice, and check out our Code of Conduct.









draft saved

draft discarded


















2ndChosenOne is a new contributor. Be nice, and check out our Code of Conduct.












2ndChosenOne is a new contributor. Be nice, and check out our Code of Conduct.











2ndChosenOne is a new contributor. Be nice, and check out our Code of Conduct.














Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f510083%2fnftables-and-bridge%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







-

Popular posts from this blog

getting Checkpoint VPN SSL Network Extender working in the command lineHow to connect to CheckPoint VPN on Ubuntu 18.04LTS?Will the Linux ( red-hat ) Open VPNC Client connect to checkpoint or nortel VPN gateways?VPN client for linux machine + support checkpoint gatewayVPN SSL Network Extender in FirefoxLinux Checkpoint SNX tool configuration issuesCheck Point - Connect under Linux - snx + OTPSNX VPN Ububuntu 18.XXUsing Checkpoint VPN SSL Network Extender CLI with certificateVPN with network manager (nm-applet) is not workingWill the Linux ( red-hat ) Open VPNC Client connect to checkpoint or nortel VPN gateways?VPN client for linux machine + support checkpoint gatewayImport VPN config files to NetworkManager from command lineTrouble connecting to VPN using network-manager, while command line worksStart a VPN connection with PPTP protocol on command linestarting a docker service daemon breaks the vpn networkCan't connect to vpn with Network-managerVPN SSL Network Extender in FirefoxUsing Checkpoint VPN SSL Network Extender CLI with certificate

Image
If human space travel is limited by the G force vulnerability, is there a way to counter G forces? Did Shadowfax go to Valinor? Do I have a twin with permutated remainders? Blender 2.8 I can't see vertices, edges or faces in edit mode 1960's book about a plague that kills all white people How can I make my BBEG immortal short of making them a Lich or Vampire? Alternative to sending password over mail? Is it inappropriate for a student to attend their mentor's dissertation defense? Why is Collection not simply treated as Collection<?> Took a trip to a parallel universe, need help deciphering Assassin's bullet with mercury Why is it a bad idea to hire a hitman to eliminate most corrupt politicians? I Accidentally Deleted a Stock Terminal Theme Is there a hemisphere-neutral way of specifying a season? What about the virus in 12 Monkeys? Why can't we play rap on piano? Arrow those variables! Today is the Center Modeling an IP Ad
Read more

Cannot Extend partition with GParted The 2019 Stack Overflow Developer Survey Results Are In Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) 2019 Community Moderator Election ResultsCan't increase partition size with GParted?GParted doesn't recognize the unallocated space after my current partitionWhat is the best way to add unallocated space located before to Ubuntu 12.04 partition with GParted live?I can't figure out how to extend my Arch home partition into free spaceGparted Linux Mint 18.1 issueTrying to extend but swap partition is showing as Unknown in Gparted, shows proper from fdiskRearrange partitions in gparted to extend a partitionUnable to extend partition even though unallocated space is next to it using GPartedAllocate free space to root partitiongparted: how to merge unallocated space with a partition

Image
Make it rain characters Keeping a retro style to sci-fi spaceships? How to split my screen on my Macbook Air? How can I define good in a religion that claims no moral authority? does high air pressure throw off wheel balance? Scientific Reports - Significant Figures Relations between two reciprocal partial derivatives? How to delete random line from file using Unix command? How did passengers keep warm on sail ships? How are presidential pardons supposed to be used? Are my PIs rude or am I just being too sensitive? He got a vote 80% that of Emmanuel Macron’s Change bounding box of math glyphs in LuaTeX Match Roman Numerals Was credit for the black hole image misattributed? How to pronounce 1ターン? how can a perfect fourth interval be considered either consonant or dissonant? Working through the single responsibility principle (SRP) in Python when calls are expensive High Q peak in frequency response means what in time domain? Would an alien lifeform
Read more

NetworkManager fails with “Could not find source connection”Trouble connecting to VPN using network-manager, while command line worksHow can I be notified about state changes to a VPN adapterBacktrack 5 R3 - Refuses to connect to VPNFeed all traffic through OpenVPN for a specific network namespace onlyRun daemon on startup in Debian once openvpn connection establishedpfsense tcp connection between openvpn and lan is brokenInternet connection problem with web browsers onlyWhy does NetworkManager explicitly support tun/tap devices?Browser issues with VPNTwo IP addresses assigned to the same network card - OpenVPN issues?Cannot connect to WiFi with nmcli, although secrets are provided

Image
What typically incentivizes a professor to change jobs to a lower ranking university? Reorder a Master List Based on a Reordered Subset How does one intimidate enemies without having the capacity for violence? Is it possible to do 50 km distance without any previous training? Java Casting: Java 11 throws LambdaConversionException while 1.8 does not How much RAM could one put in a typical 80386 setup? Is it legal for company to use my work email to pretend I still work there? Are astronomers waiting to see something in an image from a gravitational lens that they've already seen in an adjacent image? How is it possible to have an ability score that is less than 3? Why does Kotter return in Welcome Back Kotter? Can I ask the recruiters in my resume to put the reason why I am rejected? Why is consensus so controversial in Britain? Which country benefited the most from UN Security Council vetoes? Do infinite dimensional systems make sense? What's the poi
Read more