nftables rules unexpectedly modified at boot
Posted: 2019/10/12 02:35:22
I am using nftables with my own config files. I write the tables to /etc/sysconfig/nftables.conf so that nftables.service loads them at boot time.
firewalld.service is disabled
After reboot the nftables are loaded OK but the following rules are unexpectedly appended. The word "bridge" gives a clue.
I am not using virtual machines.
I have done: virsh net-autostart default --disable - no bridge devices are created (virbr0 etc).
What is adding to my rules and how can I disable it? It could be ebtables related but I have not found where.
Any ideas where to look?
Thanks
Alan
===== Appended Extra Rules ====
table ip mangle {
chain PREROUTING {
type filter hook prerouting priority -150; policy accept;
}
}
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
}
chain FORWARD {
type filter hook forward priority 0; policy accept;
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
}
table ip6 filter {
chain INPUT {
type filter hook input priority 0; policy accept;
}
chain FORWARD {
type filter hook forward priority 0; policy accept;
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
}
table bridge filter {
chain INPUT {
type filter hook input priority -200; policy accept;
}
chain FORWARD {
type filter hook forward priority -200; policy accept;
}
chain OUTPUT {
type filter hook output priority -200; policy accept;
}
}
firewalld.service is disabled
After reboot the nftables are loaded OK but the following rules are unexpectedly appended. The word "bridge" gives a clue.
I am not using virtual machines.
I have done: virsh net-autostart default --disable - no bridge devices are created (virbr0 etc).
What is adding to my rules and how can I disable it? It could be ebtables related but I have not found where.
Any ideas where to look?
Thanks
Alan
===== Appended Extra Rules ====
table ip mangle {
chain PREROUTING {
type filter hook prerouting priority -150; policy accept;
}
}
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
}
chain FORWARD {
type filter hook forward priority 0; policy accept;
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
}
table ip6 filter {
chain INPUT {
type filter hook input priority 0; policy accept;
}
chain FORWARD {
type filter hook forward priority 0; policy accept;
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
}
table bridge filter {
chain INPUT {
type filter hook input priority -200; policy accept;
}
chain FORWARD {
type filter hook forward priority -200; policy accept;
}
chain OUTPUT {
type filter hook output priority -200; policy accept;
}
}