标签: nftables

  • 关于nftables在output hook中设置mark路由不通的问题

    我这里排查到两点原因
    1. output hook只能是rotue链,不能是filter链,而prerouting则只能是filter链
    要这样写
    nft add chain inet fw4 gfw_output { type route hook output priority mangle\; policy accept\; }
    filter的优先级是比route低的
    官方是这么写的

    filter: Supported by arp, bridge, ip, ip6 and inet table families.
    route: Mark packets (like mangle for the output hook, for other hooks use the type filter instead), supported by ip and ip6.
    nat: In order to perform Network Address Translation, supported by ip and ip6.
    2. 本地出口源IP的问题
    可能因为默认路由在wan口上,所以本地发包源IP始终是wan口上的IP,而这个IP是运营商分配的100.64.0.0/10段的IP,这样就导致远端服务器找不到到100.64.0.0/10的路由,数据包有去无回,需要在服务器上配置这个网段的路由
    如果是wireguard在AllowedIPs中添加100.64.0.0/10网段即可。

    参考:
    https://forums.gentoo.org/viewtopic-t-1136379-start-0.html

    Views: 14

  • nftset使用

    nft中的set是属于某个table下面的,不像ipset是全局的,所以要先建立table

    nft list tables
    nft add table inet gfw
    nft add set inet gfw GFWLIST { type ipv4_addr\; }
    nft add set inet gfw GFWLIST6 { type ipv6_addr\; }
    

    添加IP地址

    nft add element inet gfw GFWLIST { 111.22.33.4 };
    nft list set inet gfw GFWLIST
    

    删除IP地址

    nft delete element inet gfw GFWLIST {20.205.243.166}
    

    openwrt中配置nftset

    openwrt中默认的table是fw4,family是inet

    关于family:
    ip ipv4协议
    ipv6 ipv6协议
    inet 双栈协议
    不指定family时nft默认是ipv4协议,dnsmasq中不指定family时默认也是ipv4协议

    Views: 3

  • nftables常用命令

    • 列出所有规则

      nft list ruleset

    • 列出指定的chain

      nft list chain filter INPUT

    • 列出所有的chain

      nft list chains

    • 列出指定的table

      nft list table filter

    • 列出所有的table

      nft list tables

    • 添加table

      添加任何链之前需要先添加table

      add table test
      不指定family时默认为ip family
      nft add table inet test
      指定family为inet,即同时支持ipv4和ipv6

    • 添加链

      add chain inet test test {type filter hook output priority 0;}
      add chain inet test test
      
    • 添加规则

      nft add rule inet test test ip daddr 8.8.8.8 counter

    • 删除规则

      先用nft -a参数查看规则的handle编号,然后

      nft delete rule inet test test handle 3
      nft delete rule filter FORWARD handle 88
      
    • 配置nat
      1. SNAT
      nft add chain nat POSTROUTING { type nat hook postrouting priority srcnat; policy accept; }
      nft add rule nat POSTROUTING iifname wg2 oifname eth0 counter snat to 172.31.25.80
      

      或者

      nft add rule nat POSTROUTING iifname wg2 oifname eth0 counter masquerade
      

      snat比masquerade性能要好

      1. DNAT
      nft add rule inet nat prerouting tcp dport 443 counter redirect to :8006
      nft add table inet nat
      nft add chain inet nat prerouting { type nat hook prerouting priority dstnat\; policy accept\; }
      

    nft不指定表类型时默认为ip,即ipv4表,如果要同时支持ipv6要指定inet表类型

    Views: 54

  • pve优化配置

    • 去掉订阅弹窗
      方法1:
    sed -Ezi.bak "s/(Ext.Msg.show\(\{\s+title: gettext\('No valid sub)/void\(\{ \/\/\1/g" /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js && systemctl restart pveproxy.service
    

    方法2:

    sed -i_orig "s/data.status === 'Active'/true/g" /usr/share/pve-manager/js/pvemanagerlib.js
    sed -i_orig "s/if (res === null || res === undefined || \!res || res/if(/g" /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js
    sed -i_orig "s/.data.status.toLowerCase() !== 'active'/false/g" /usr/share/javascript/proxmox-widget-toolkit/proxmoxlib.js
    systemctl restart pveproxy
    

    然手按Ctrl+F5强制刷新浏览器,重新登录
    – 使用443端口连接

    iptables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8006
    ip6tables -t nat -A PREROUTING -p tcp --dport 443 -j REDIRECT --to-ports 8006
    

    或者

    nft add table inet nat
    nft add chain inet nat prerouting { type nat hook prerouting priority dstnat\; policy accept\; }
    nft add rule inet nat prerouting tcp dport 443 counter redirect to :8006
    

    Views: 68