Subj : nftables kernel config To : Benny Pedersen From : Maurice Kinal Date : Tue Dec 05 2017 05:13:44 Hey Benny! ----- ":read !uname -a" starts Linux mikey 4.13.16 #1 SMP Mon Dec 4 23:14:59 UTC 2017 x86_64 Intel(R) Atom(TM) CPU C2758 @ 2.40GHz GenuineIntel GNU/Linux ----- ":read !uname -a" ends ----- ":read !zgrep CONFIG_NFT /proc/config.gz" starts CONFIG_NFT_EXTHDR=m CONFIG_NFT_META=m CONFIG_NFT_RT=m CONFIG_NFT_NUMGEN=m CONFIG_NFT_CT=m CONFIG_NFT_SET_RBTREE=m CONFIG_NFT_SET_HASH=m CONFIG_NFT_SET_BITMAP=m CONFIG_NFT_COUNTER=m CONFIG_NFT_LOG=m CONFIG_NFT_LIMIT=m CONFIG_NFT_MASQ=m CONFIG_NFT_REDIR=m CONFIG_NFT_NAT=m CONFIG_NFT_OBJREF=m CONFIG_NFT_QUEUE=m CONFIG_NFT_QUOTA=m CONFIG_NFT_REJECT=m CONFIG_NFT_REJECT_INET=m CONFIG_NFT_COMPAT=m CONFIG_NFT_HASH=m CONFIG_NFT_FIB=m CONFIG_NFT_FIB_INET=m CONFIG_NFT_DUP_NETDEV=m CONFIG_NFT_FWD_NETDEV=m CONFIG_NFT_CHAIN_ROUTE_IPV4=m CONFIG_NFT_REJECT_IPV4=m CONFIG_NFT_DUP_IPV4=m CONFIG_NFT_FIB_IPV4=m CONFIG_NFT_CHAIN_NAT_IPV4=m CONFIG_NFT_MASQ_IPV4=m CONFIG_NFT_REDIR_IPV4=m CONFIG_NFT_CHAIN_ROUTE_IPV6=m CONFIG_NFT_REJECT_IPV6=m CONFIG_NFT_DUP_IPV6=m CONFIG_NFT_FIB_IPV6=m CONFIG_NFT_CHAIN_NAT_IPV6=m CONFIG_NFT_MASQ_IPV6=m CONFIG_NFT_REDIR_IPV6=m ----- ":read !zgrep CONFIG_NFT /proc/config.gz" ends I tested nft out by creating this file; ----- /etc/sysconfig/ipv4-masq starts table ip nat { chain prerouting { type nat hook prerouting priority 0; policy accept; } chain postrouting { type nat hook postrouting priority 100; policy accept; oifname "eth0" masquerade } } ----- /etc/sysconfig/ipv4-masq ends I then call it up from an rc script by adding these commands; echo 1 > /proc/sys/net/ipv4/ip_forward /sbin/nft -f /etc/sysconfig/ipv4-masq It worked but needs some further tweaking to only masquerade for the wlan0 interface to eth0 which is configured for a static ipv4 internet address. Also I need to make it work on the machine/kernel where it actually matters; ----- ":read !ssh lmbrain 'uname -a'" starts Linux lilmikey 4.14.3 #1 SMP Mon Dec 4 05:36:50 UTC 2017 x86_64 Intel(R) Atom(TM) CPU N2800 @ 1.86GHz GenuineIntel GNU/Linux ----- ":read !ssh lmbrain 'uname -a'" ends At the moment it is still using iptables to masquerade for the wireless to it's internet connection. From what I've researched thus far it appears nft is the preferred method over iptables or at least is becomming so. As for me, I personally don't have an opinion on this matter but I am guessing at least three of my neighbours whose so-called smartphones use the wireless to connect to the internet do care ... although they are oblivious as to the potential 'upgrade'. ;-) Anyhow I thought you might be interested. Life is good, Maurice .... Don't cry for me I have vi. --- GNU bash, version 4.4.12(1)-release (x86_64-silvermont-linux-gnu) * Origin: Little Mikey's Brain - Ladysmith BC, Canada (1:153/7001) .