Not connected, Your IP: 3.14.142.17
Online: 28957 users - 392652 Mbit/s total BWSearch the Community
Showing results for tags 'nftables'.
Found 3 results
-
Eddie seems to be missing one crucial rule in its IPv6 network lock. In the OUTPUT chain, there should be the same entry as in the INPUT chain: icmpv6 type nd-router-advert ip6 hoplimit 255 counter packets 0 bytes 0 accept icmpv6 type nd-neighbor-solicit ip6 hoplimit 255 counter packets 0 bytes 0 accept icmpv6 type nd-neighbor-advert ip6 hoplimit 255 counter packets 0 bytes 0 accept icmpv6 type nd-redirect ip6 hoplimit 255 counter packets 0 bytes 0 accept This is needed because some router vendors and Linux distros use global unicast addresses in NDP instead of link-local addresses. Somebody else has observed and documented the same issue: https://blog.apnic.net/2023/01/30/interesting-ipv6-ndp-observation/ If the rule is missing, all the IPv6 traffic drops after a while because the router does not get a reply from the computer to its NDP packets. If the router/OS used only link-local addresses for NDP, there would not be an issue. But this is not the case for many people. I hope AirVPN staff will fix this in the Eddie network lock rules.
-
Debian 11, nftables v1.0.6, Bluetit 1.3.0. Hello all, I'm trying to add an nftables input rule. In my very limited understanding the standard way to do this would be add it into /etc/nftables.conf. Would that still work if using bluetit persistent network-lock feature? Based on a cursory look through bluetit's code it seems that bluetit flushes the nftable rules and then replaces them with a full working kill-switch configuration. That would prevent my input rule from taking effect, correct? If so, how do I go about adding my nftables rule in conjunction with bluetit's killswitch? My first thought was a small daemon to nft insert rule filter input ip saddr <badip> drop After bluetit has loaded on boot, but it occurs to me that should bluetit ever disable/enable network-lock then the rule would get overwritten. Thanks! -
I run the command nft list tables and I get this output: table inet filter table ip6 wg-quick-tun0 table ip wg-quick-tun0 So the question is why is there separate tables for IP4 & IP6? Why not just have it be an inet connection?
