Home / server / Questions / 1026644
Accepted
Hannes
Asked: 2020-07-25 11:55:52 +0800 CST

Change policy with nftables on command line

  • 772

With iptables I can change the for example INPUT policy with iptables -P INPUT DROP to drop. Is there any option to do the same with nft?

Editing /etc/nftables.conf would work of course but that is not what I want.

firewall nftables

1 Answers

  1. Best Answer

    Yes you can redefine an already existing base chain's policy without changing its content. There's no separate keyword for this, it's still add:

    nft add chain family mytable mychain '{ policy drop; }'

    Complete example in a namespace:

    test.nft:

    flush ruleset

table ip t {
    chain c {
        type filter hook output priority 0; policy accept;
        oif lo accept
        counter
    }
}

    setup:

    # ip netns add test
# ip netns exec test nft -f test.nft

    alteration:

    # ip netns exec test nft add 'chain ip t c { policy drop; }'
# ip netns exec test nft list ruleset
table ip t {
    chain c {
        type filter hook output priority filter; policy drop;
        oif "lo" accept
        counter packets 0 bytes 0
    }
}

    The policy was changed, without altering the rules. Using here nft 0.9.5 and kernel 5.7.x . Depending on version behaviour might differ.

    There's a kernel commit from 2015 allowing to do only this:

    netfilter: nf_tables: allow to change chain policy without hook if it exists

    If there's an existing base chain, we have to allow to change the default policy without indicating the hook information.

    However, if the chain doesn't exists, we have to enforce the presence of the hook attribute.

    Signed-off-by: Pablo Neira Ayuso [email protected]

    Before this (around kernel 4.1), one had to provide again the base chain definition (which can't be changed by the way):

    # ip netns exec test nft add 'chain ip t c { type filter hook output priority 0;  policy drop; }'
    • 6