nftables and bridgeDebian network disappearingHow to do Masquerading with NFTablesnftables ip set multiple tablesSet up nftables to only allow connections through a vpn and block all ipv6 trafficNftables configuration error: conflicting protocols specified: inet-service v. icmpInternet access in LXC container with nftablesWhen and how to use chain priorities in nftablesHow to use wildcard in a list with nftablesLinux bridge SNAT with ebtablesNftables rules dissapiered after reboot!

Infinite Abelian subgroup of infinite non Abelian group example

How do I write bicross product symbols in latex?

When a company launches a new product do they "come out" with a new product or do they "come up" with a new product?

Why is Collection not simply treated as Collection<?>

Arrow those variables!

Is it possible to run Internet Explorer on OS X El Capitan?

What does it mean to describe someone as a butt steak?

Today is the Center

Western buddy movie with a supernatural twist where a woman turns into an eagle at the end

I would say: "You are another teacher", but she is a woman and I am a man

In Romance of the Three Kingdoms why do people still use bamboo sticks when paper had already been invented?

Modeling an IP Address

Is it possible to create light that imparts a greater proportion of its energy as momentum rather than heat?

Would Slavery Reparations be considered Bills of Attainder and hence Illegal?

What killed these X2 caps?

Why do I get two different answers for this counting problem?

If human space travel is limited by the G force vulnerability, is there a way to counter G forces?

How do conventional missiles fly?

Emailing HOD to enhance faculty application

Is it canonical bit space?

Can a rocket refuel on Mars from water?

How is it possible to have an ability score that is less than 3?

Facing a paradox: Earnshaw's theorem in one dimension

How can I tell someone that I want to be his or her friend?



nftables and bridge


Debian network disappearingHow to do Masquerading with NFTablesnftables ip set multiple tablesSet up nftables to only allow connections through a vpn and block all ipv6 trafficNftables configuration error: conflicting protocols specified: inet-service v. icmpInternet access in LXC container with nftablesWhen and how to use chain priorities in nftablesHow to use wildcard in a list with nftablesLinux bridge SNAT with ebtablesNftables rules dissapiered after reboot!






.everyoneloves__top-leaderboard:empty,.everyoneloves__mid-leaderboard:empty,.everyoneloves__bot-mid-leaderboard:empty margin-bottom:0;








0















I would like to set firewall with nftables on PC B on interface eth1 (input only). Using whitelisting. Diagram is simplified (there is more VLANs) and everything work fine except bridge.



Requirements:



  • main policy drop

  • allow http (management of switch)

  • allow snmp

And I have problem with first one - main policy drop.



diagram



I found some instruction but it is not working for me. I tried something similar to my table inet filter. Drop all:



table bridge br 
chain input
type filter hook forward priority 0; policy drop;




PC A can still ping to SWITCH and connect to management of SWITCH via http.



  • tried hook input too

  • br99 is standard bridge set up with wicked

  • PCs - OpenSuse 42.3

  • nftables version 0.5

  • table inet has no impact to eth1.99

It is very simplified diagram. There is more switches and pcs in my system. I can not change network. PC A must have connection to the SWITCH. On interface br99 is the same network for snmp for PC A.



EDIT:



With nftables 0.8.2 this configuration works.










share|improve this question









New contributor




2ndChosenOne is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • rewrote a comment Considering nftables is now at version 0.9, a lot might have changed since 0.5. It's recommended to have kernel >= 4.10 and nftables 0.9 for best results. Anyway Reproducing your setup with network namespaces, applying your nftables file, with nftables 0.9, 1st part is working as intended (nothing leaves through eth1.99 or eth1). A note: nftables cannot do stateful firewalling (contrary to the mix of ebtables+iptables), so you'll have to make rules that don't depend on any conntrack state (could be fine here).

    – A.B
    2 days ago












  • You should document how you made your settings on pc B (using commands like ip link, ip addr, diagnostics with possibly bridge fdb etc).

    – A.B
    2 days ago












  • thanks, you are right. with nftables 0.8.2 configuration works perfect too.

    – 2ndChosenOne
    21 hours ago


















0















I would like to set firewall with nftables on PC B on interface eth1 (input only). Using whitelisting. Diagram is simplified (there is more VLANs) and everything work fine except bridge.



Requirements:



  • main policy drop

  • allow http (management of switch)

  • allow snmp

And I have problem with first one - main policy drop.



diagram



I found some instruction but it is not working for me. I tried something similar to my table inet filter. Drop all:



table bridge br 
chain input
type filter hook forward priority 0; policy drop;




PC A can still ping to SWITCH and connect to management of SWITCH via http.



  • tried hook input too

  • br99 is standard bridge set up with wicked

  • PCs - OpenSuse 42.3

  • nftables version 0.5

  • table inet has no impact to eth1.99

It is very simplified diagram. There is more switches and pcs in my system. I can not change network. PC A must have connection to the SWITCH. On interface br99 is the same network for snmp for PC A.



EDIT:



With nftables 0.8.2 this configuration works.










share|improve this question









New contributor




2ndChosenOne is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.




















  • rewrote a comment Considering nftables is now at version 0.9, a lot might have changed since 0.5. It's recommended to have kernel >= 4.10 and nftables 0.9 for best results. Anyway Reproducing your setup with network namespaces, applying your nftables file, with nftables 0.9, 1st part is working as intended (nothing leaves through eth1.99 or eth1). A note: nftables cannot do stateful firewalling (contrary to the mix of ebtables+iptables), so you'll have to make rules that don't depend on any conntrack state (could be fine here).

    – A.B
    2 days ago












  • You should document how you made your settings on pc B (using commands like ip link, ip addr, diagnostics with possibly bridge fdb etc).

    – A.B
    2 days ago












  • thanks, you are right. with nftables 0.8.2 configuration works perfect too.

    – 2ndChosenOne
    21 hours ago














0












0








0








I would like to set firewall with nftables on PC B on interface eth1 (input only). Using whitelisting. Diagram is simplified (there is more VLANs) and everything work fine except bridge.



Requirements:



  • main policy drop

  • allow http (management of switch)

  • allow snmp

And I have problem with first one - main policy drop.



diagram



I found some instruction but it is not working for me. I tried something similar to my table inet filter. Drop all:



table bridge br 
chain input
type filter hook forward priority 0; policy drop;




PC A can still ping to SWITCH and connect to management of SWITCH via http.



  • tried hook input too

  • br99 is standard bridge set up with wicked

  • PCs - OpenSuse 42.3

  • nftables version 0.5

  • table inet has no impact to eth1.99

It is very simplified diagram. There is more switches and pcs in my system. I can not change network. PC A must have connection to the SWITCH. On interface br99 is the same network for snmp for PC A.



EDIT:



With nftables 0.8.2 this configuration works.










share|improve this question









New contributor




2ndChosenOne is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












I would like to set firewall with nftables on PC B on interface eth1 (input only). Using whitelisting. Diagram is simplified (there is more VLANs) and everything work fine except bridge.



Requirements:



  • main policy drop

  • allow http (management of switch)

  • allow snmp

And I have problem with first one - main policy drop.



diagram



I found some instruction but it is not working for me. I tried something similar to my table inet filter. Drop all:



table bridge br 
chain input
type filter hook forward priority 0; policy drop;




PC A can still ping to SWITCH and connect to management of SWITCH via http.



  • tried hook input too

  • br99 is standard bridge set up with wicked

  • PCs - OpenSuse 42.3

  • nftables version 0.5

  • table inet has no impact to eth1.99

It is very simplified diagram. There is more switches and pcs in my system. I can not change network. PC A must have connection to the SWITCH. On interface br99 is the same network for snmp for PC A.



EDIT:



With nftables 0.8.2 this configuration works.







firewall bridge nftables






share|improve this question









New contributor




2ndChosenOne is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.











share|improve this question









New contributor




2ndChosenOne is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









share|improve this question




share|improve this question








edited 21 hours ago







2ndChosenOne













New contributor




2ndChosenOne is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.









asked 2 days ago









2ndChosenOne2ndChosenOne

11




11




New contributor




2ndChosenOne is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.





New contributor





2ndChosenOne is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.






2ndChosenOne is a new contributor to this site. Take care in asking for clarification, commenting, and answering.
Check out our Code of Conduct.












  • rewrote a comment Considering nftables is now at version 0.9, a lot might have changed since 0.5. It's recommended to have kernel >= 4.10 and nftables 0.9 for best results. Anyway Reproducing your setup with network namespaces, applying your nftables file, with nftables 0.9, 1st part is working as intended (nothing leaves through eth1.99 or eth1). A note: nftables cannot do stateful firewalling (contrary to the mix of ebtables+iptables), so you'll have to make rules that don't depend on any conntrack state (could be fine here).

    – A.B
    2 days ago












  • You should document how you made your settings on pc B (using commands like ip link, ip addr, diagnostics with possibly bridge fdb etc).

    – A.B
    2 days ago












  • thanks, you are right. with nftables 0.8.2 configuration works perfect too.

    – 2ndChosenOne
    21 hours ago


















  • rewrote a comment Considering nftables is now at version 0.9, a lot might have changed since 0.5. It's recommended to have kernel >= 4.10 and nftables 0.9 for best results. Anyway Reproducing your setup with network namespaces, applying your nftables file, with nftables 0.9, 1st part is working as intended (nothing leaves through eth1.99 or eth1). A note: nftables cannot do stateful firewalling (contrary to the mix of ebtables+iptables), so you'll have to make rules that don't depend on any conntrack state (could be fine here).

    – A.B
    2 days ago












  • You should document how you made your settings on pc B (using commands like ip link, ip addr, diagnostics with possibly bridge fdb etc).

    – A.B
    2 days ago












  • thanks, you are right. with nftables 0.8.2 configuration works perfect too.

    – 2ndChosenOne
    21 hours ago

















rewrote a comment Considering nftables is now at version 0.9, a lot might have changed since 0.5. It's recommended to have kernel >= 4.10 and nftables 0.9 for best results. Anyway Reproducing your setup with network namespaces, applying your nftables file, with nftables 0.9, 1st part is working as intended (nothing leaves through eth1.99 or eth1). A note: nftables cannot do stateful firewalling (contrary to the mix of ebtables+iptables), so you'll have to make rules that don't depend on any conntrack state (could be fine here).

– A.B
2 days ago






rewrote a comment Considering nftables is now at version 0.9, a lot might have changed since 0.5. It's recommended to have kernel >= 4.10 and nftables 0.9 for best results. Anyway Reproducing your setup with network namespaces, applying your nftables file, with nftables 0.9, 1st part is working as intended (nothing leaves through eth1.99 or eth1). A note: nftables cannot do stateful firewalling (contrary to the mix of ebtables+iptables), so you'll have to make rules that don't depend on any conntrack state (could be fine here).

– A.B
2 days ago














You should document how you made your settings on pc B (using commands like ip link, ip addr, diagnostics with possibly bridge fdb etc).

– A.B
2 days ago






You should document how you made your settings on pc B (using commands like ip link, ip addr, diagnostics with possibly bridge fdb etc).

– A.B
2 days ago














thanks, you are right. with nftables 0.8.2 configuration works perfect too.

– 2ndChosenOne
21 hours ago






thanks, you are right. with nftables 0.8.2 configuration works perfect too.

– 2ndChosenOne
21 hours ago











0






active

oldest

votes












Your Answer








StackExchange.ready(function()
var channelOptions =
tags: "".split(" "),
id: "106"
;
initTagRenderer("".split(" "), "".split(" "), channelOptions);

StackExchange.using("externalEditor", function()
// Have to fire editor after snippets, if snippets enabled
if (StackExchange.settings.snippets.snippetsEnabled)
StackExchange.using("snippets", function()
createEditor();
);

else
createEditor();

);

function createEditor()
StackExchange.prepareEditor(
heartbeatType: 'answer',
autoActivateHeartbeat: false,
convertImagesToLinks: false,
noModals: true,
showLowRepImageUploadWarning: true,
reputationToPostImages: null,
bindNavPrevention: true,
postfix: "",
imageUploader:
brandingHtml: "Powered by u003ca class="icon-imgur-white" href="https://imgur.com/"u003eu003c/au003e",
contentPolicyHtml: "User contributions licensed under u003ca href="https://creativecommons.org/licenses/by-sa/3.0/"u003ecc by-sa 3.0 with attribution requiredu003c/au003e u003ca href="https://stackoverflow.com/legal/content-policy"u003e(content policy)u003c/au003e",
allowUrls: true
,
onDemand: true,
discardSelector: ".discard-answer"
,immediatelyShowMarkdownHelp:true
);



);






2ndChosenOne is a new contributor. Be nice, and check out our Code of Conduct.









draft saved

draft discarded


















StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f510083%2fnftables-and-bridge%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown

























0






active

oldest

votes








0






active

oldest

votes









active

oldest

votes






active

oldest

votes








2ndChosenOne is a new contributor. Be nice, and check out our Code of Conduct.









draft saved

draft discarded


















2ndChosenOne is a new contributor. Be nice, and check out our Code of Conduct.












2ndChosenOne is a new contributor. Be nice, and check out our Code of Conduct.











2ndChosenOne is a new contributor. Be nice, and check out our Code of Conduct.














Thanks for contributing an answer to Unix & Linux Stack Exchange!


  • Please be sure to answer the question. Provide details and share your research!

But avoid


  • Asking for help, clarification, or responding to other answers.

  • Making statements based on opinion; back them up with references or personal experience.

To learn more, see our tips on writing great answers.




draft saved


draft discarded














StackExchange.ready(
function ()
StackExchange.openid.initPostLogin('.new-post-login', 'https%3a%2f%2funix.stackexchange.com%2fquestions%2f510083%2fnftables-and-bridge%23new-answer', 'question_page');

);

Post as a guest















Required, but never shown





















































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown

































Required, but never shown














Required, but never shown












Required, but never shown







Required, but never shown







Popular posts from this blog

getting Checkpoint VPN SSL Network Extender working in the command lineHow to connect to CheckPoint VPN on Ubuntu 18.04LTS?Will the Linux ( red-hat ) Open VPNC Client connect to checkpoint or nortel VPN gateways?VPN client for linux machine + support checkpoint gatewayVPN SSL Network Extender in FirefoxLinux Checkpoint SNX tool configuration issuesCheck Point - Connect under Linux - snx + OTPSNX VPN Ububuntu 18.XXUsing Checkpoint VPN SSL Network Extender CLI with certificateVPN with network manager (nm-applet) is not workingWill the Linux ( red-hat ) Open VPNC Client connect to checkpoint or nortel VPN gateways?VPN client for linux machine + support checkpoint gatewayImport VPN config files to NetworkManager from command lineTrouble connecting to VPN using network-manager, while command line worksStart a VPN connection with PPTP protocol on command linestarting a docker service daemon breaks the vpn networkCan't connect to vpn with Network-managerVPN SSL Network Extender in FirefoxUsing Checkpoint VPN SSL Network Extender CLI with certificate

Cannot Extend partition with GParted The 2019 Stack Overflow Developer Survey Results Are In Announcing the arrival of Valued Associate #679: Cesar Manara Planned maintenance scheduled April 17/18, 2019 at 00:00UTC (8:00pm US/Eastern) 2019 Community Moderator Election ResultsCan't increase partition size with GParted?GParted doesn't recognize the unallocated space after my current partitionWhat is the best way to add unallocated space located before to Ubuntu 12.04 partition with GParted live?I can't figure out how to extend my Arch home partition into free spaceGparted Linux Mint 18.1 issueTrying to extend but swap partition is showing as Unknown in Gparted, shows proper from fdiskRearrange partitions in gparted to extend a partitionUnable to extend partition even though unallocated space is next to it using GPartedAllocate free space to root partitiongparted: how to merge unallocated space with a partition

Marilyn Monroe Ny fiainany manokana | Jereo koa | Meny fitetezanafanitarana azy.