Hi list, I'm studying nftables. I'm using CentOS 8.1 (Gnome) and I disabled firewalld. I noticed that a default policy is created with tables and chains probably for firewalld. So I created a .nft script where I stored my rules with a flush for previous ruleset, then saved on /etc/sysconfig/nftables.conf and the enabled nftables service. Running the script with nft -f script.nft all work as expected but when rebooting, running nft list ruleset I find my rules and the default policy (chains and tables) that I would not have in my configuration. My nftables.conf contains only my ruleset. For example, running nft list tables I found several default tables like: table ip filter table ip6 filter table bridge filter table ip nat table ip mangle So probably there is something that is applying its policy but I ignore what is. Can someone point me in the right direction? Thank you in advance.
Il 17/04/20 11:01, Alessandro Baggi ha scritto:> Hi list, > > I'm studying nftables. I'm using CentOS 8.1 (Gnome) and I disabled > firewalld. I noticed that a default policy is created with tables and > chains probably for firewalld. > > So I created a .nft script where I stored my rules with a flush for > previous ruleset, then saved on /etc/sysconfig/nftables.conf and the > enabled nftables service. > > Running the script with nft -f script.nft all work as expected but > when rebooting, running nft list ruleset I find my rules and the > default policy (chains and tables) that I would not have in my > configuration. > > My nftables.conf contains only my ruleset. > > For example, running nft list tables I found several default tables like: > > table ip filter > table ip6 filter > table bridge filter > table ip nat > table ip mangle > > So probably there is something that is applying its policy but I > ignore what is. > > Can someone point me in the right direction? > > Thank you in advance. >Hi have not received any replies but I tried to investigate. After checking configuration files in my system I supposed that this could caused by a daemon, so I found that libvirtd push some rules. running virsh nwfilter-list I get: ?UUID????????????????????????????????? Nome ------------------------------------------------------------------ ?34fe8cba-af99-4438-8efc-b135143425e2? allow-arp ?dc110112-3824-4cf3-946f-ba6e15cd29c3? allow-dhcp ?fecc383a-bab5-465d-a5be-98834fb626ce? allow-dhcp-server ?761e7132-8738-47c2-8101-275d6fd6a347? allow-incoming-ipv4 ?d37b017f-8f21-4ad0-9fa6-052a5cb1ed2e? allow-ipv4 ?a8c740d5-328c-452e-bae7-9828c54f95b7? clean-traffic ?296bdfad-11d9-4aa0-9817-4656ef2be6e5? clean-traffic-gateway ?69215a61-bff5-482a-b913-589bb1ce18f2? no-arp-ip-spoofing ?70c61f0a-c005-407f-843d-d13c2495f05d? no-arp-mac-spoofing ?386cd2f4-7272-43e2-ba1f-80cb3518649c? no-arp-spoofing ?9117fa21-e3d6-4c32-9cdf-af97ebd6599e? no-ip-multicast ?7a964470-4f74-4eef-9fec-a0e9a79e168d? no-ip-spoofing ?8c9e45a3-5d44-4641-b23d-eded5c1f1632? no-mac-broadcast ?82dcd4f0-f55a-43ad-b520-d4c8d4bf37cd? no-mac-spoofing ?bdd0ba54-7ce0-4a2c-9c25-c24072d364ba? no-other-l2-traffic ?fc50783e-d32b-42ba-8380-7576c4388244? no-other-rarp-traffic ?edfc1bb3-b325-4f8d-8c5b-423e55da66eb? qemu-announce-self ?8556bd82-dc97-47b0-b573-5986ebbad3b2? qemu-announce-self-rarp If I will remove these libvirt filters I will get errors? Thank you in advance.
I had the same problem.
If you are not using virtual machines then
# systemctl disable libvirtd
works and is easily reversible.
Alan
On 18/04/2020 23:03, Alessandro Baggi wrote:> Il 17/04/20 11:01, Alessandro Baggi ha scritto:
>> Hi list,
>>
>> I'm studying nftables. I'm using CentOS 8.1 (Gnome) and I
disabled
>> firewalld. I noticed that a default policy is created with tables and
>> chains probably for firewalld.
>>
>> So I created a .nft script where I stored my rules with a flush for
>> previous ruleset, then saved on /etc/sysconfig/nftables.conf and the
>> enabled nftables service.
>>
>> Running the script with nft -f script.nft all work as expected but
>> when rebooting, running nft list ruleset I find my rules and the
>> default policy (chains and tables) that I would not have in my
>> configuration.
>>
>> My nftables.conf contains only my ruleset.
>>
>> For example, running nft list tables I found several default tables
>> like:
>>
>> table ip filter
>> table ip6 filter
>> table bridge filter
>> table ip nat
>> table ip mangle
>>
>> So probably there is something that is applying its policy but I
>> ignore what is.
>>
>> Can someone point me in the right direction?
>>
>> Thank you in advance.
>>
> Hi have not received any replies but I tried to investigate. After
> checking configuration files in my system I supposed that this could
> caused by a daemon, so I found that libvirtd push some rules.
>
> running virsh nwfilter-list I get:
>
> ?UUID????????????????????????????????? Nome
> ------------------------------------------------------------------
> ?34fe8cba-af99-4438-8efc-b135143425e2? allow-arp
> ?dc110112-3824-4cf3-946f-ba6e15cd29c3? allow-dhcp
> ?fecc383a-bab5-465d-a5be-98834fb626ce? allow-dhcp-server
> ?761e7132-8738-47c2-8101-275d6fd6a347? allow-incoming-ipv4
> ?d37b017f-8f21-4ad0-9fa6-052a5cb1ed2e? allow-ipv4
> ?a8c740d5-328c-452e-bae7-9828c54f95b7? clean-traffic
> ?296bdfad-11d9-4aa0-9817-4656ef2be6e5? clean-traffic-gateway
> ?69215a61-bff5-482a-b913-589bb1ce18f2? no-arp-ip-spoofing
> ?70c61f0a-c005-407f-843d-d13c2495f05d? no-arp-mac-spoofing
> ?386cd2f4-7272-43e2-ba1f-80cb3518649c? no-arp-spoofing
> ?9117fa21-e3d6-4c32-9cdf-af97ebd6599e? no-ip-multicast
> ?7a964470-4f74-4eef-9fec-a0e9a79e168d? no-ip-spoofing
> ?8c9e45a3-5d44-4641-b23d-eded5c1f1632? no-mac-broadcast
> ?82dcd4f0-f55a-43ad-b520-d4c8d4bf37cd? no-mac-spoofing
> ?bdd0ba54-7ce0-4a2c-9c25-c24072d364ba? no-other-l2-traffic
> ?fc50783e-d32b-42ba-8380-7576c4388244? no-other-rarp-traffic
> ?edfc1bb3-b325-4f8d-8c5b-423e55da66eb? qemu-announce-self
> ?8556bd82-dc97-47b0-b573-5986ebbad3b2? qemu-announce-self-rarp
>
> If I will remove these libvirt filters I will get errors?
>
> Thank you in advance.
>
> _______________________________________________
> CentOS mailing list
> CentOS at centos.org
> https://lists.centos.org/mailman/listinfo/centos