nftables

Are you using the latest Linux kernel firewall?. Here are some notes I've saved that I use and forget all the time.
I plan to add to this as I do more. Hopefully it helps you work something out one day.

Note: I am using inet tables combining my IPv4 and IPv6 rulesets.

List Tables

sudo nft list table inet filter -n -a
sudo nft list table inet nat -n -a

  • -n: numeric
  • -a: handle (object handles)

Add a rule

nft insert rule inet filter OUTPUT position 0 icmpv6 type {nd-router-advert} drop

Delete a rule

nft delete rule inet filter OUTPUT handle 41

ICMPv6 Types

Noting some handy IPv6 ICMP types. I use nftables to block RAs when my WAN is down.

  • nd-router-advert == 134

tcpdump expressions

  • tcpdump -v -i en0 'ip6[40] = 134'

Related Posts

Stop IPv4 Point-To-Point Addressing your Networks

IPv4 addressing on links is no longer required to route IPv4. What you say?? Yes, you can stop IPv4 addressing your point to point links with Legacy…

NAT64: Using `jool` on Ubuntu 20.04

I found that jool has very good tutorials, but all the commands to get going are hidden in these large tutorials. Here are the steps I took…

Raspberry Pi Powered Fireplace

Mr Aijay Adams and I am back making my Fireplace Internet / Smart device controllable. Now, via a very sexy Web UI, when I’m heading back to…

RPM vs OPKG Cheat Sheet

Recently in the Terragraph project I work on we changed from RPM to OPKG to removes some dependencies (e.g. perl) and make our overall image size smaller….

Ansible + Handy PyPI CLI Tools

I often use a lot of PyPI CLI tools. Here is an example of how to get them easily installed and kept up to date via Ansible…

IPv6 + Flow labels

Recently a teammate and I have come across a frame forwarding issue with ECMP on a hardware ASIC in a device I work on where the use…

Leave a Reply

Your email address will not be published.