| View previous topic :: View next topic |
| Author |
Message |
prettyflyfora-
n00b
Joined: 09 Jul 2021
Posts: 19
|
 Posted: Thu Aug 04, 2022 10:08 pm Post subject: Major slowdown on nftables with some programs |
 |
|
I've recently set up nftables, pretty much with the ruleset laid out as an example on the wiki.
This works for 99% of applications, even including gaming, but I've noticed a few idocincracies.
For one, ncmpcpp and mpc eventually do connect to mpd, but only after a long hang and sometimes even timing out.
A solution I found was to pass the port (6600) and the host (127.0.0.1) directly to the programs in the command line arguments, but this is hacky and should be covered by the rule
Another program that stalls out is jwhois, or any of the other whois programs.
It runs perfectly fast without nftables enabled, but stalls so long I've given up waiting.
Of course, if I visit arin.net in a browser, it doesn't hang and loads fine.
I'm still pretty new to nftables, so if there is a way to diagnose or more information you need, please ask.
My nftables ruleset:
| Code: | #!/sbin/nft -f
flush ruleset
table ip filter {
chain input {
type filter hook input priority -1; policy drop;
iif "lo" accept comment "accept loopback"
ct state 0x1 drop comment "drop all invalid packets"
ct state { 0x2, 0x4 } accept comment "accept all connections related to connections made by us"
iif != "lo" ip daddr 127.0.0.0/8 drop comment "drop connections to loopback that don't come from loopback"
ip protocol 1 accept comment "accept all ICMP types"
tcp dport 22 ip saddr 192.168.0.0/16 log prefix "New SSH connection: " accept comment "accept SSH only from LAN devices"
}
chain forward {
type filter hook forward priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
table ip6 filter {
chain input {
type filter hook output priority 0; policy drop;
iif "lo" accept comment "accept loopback"
ct state 0x1 drop comment "drop all invalid packets"
ct state { 0x2, 0x4 } accept comment "accept all connections related to connections made by us"
iif != "lo" ip6 daddr ::1/128 drop comment "drop connections to loopback that don't come from loopback"
ip6 nexthdr 58 accept comment "accept all ICMP types"
}
chain forward {
type filter hook output priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy accept;
}
} |
_________________
-whiteguy |
|
| Back to top |
|
 |
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 4147
Location: Bavaria
|
| Posted: Thu Aug 04, 2022 10:17 pm Post subject: Re: Major slowdown on nftables with some programs |
|
|
| prettyflyfora- wrote: | | Code: |
table ip6 filter {
chain input {
[...]
}
chain forward {
type filter hook output priority 0; policy drop;
}
|
|
Change "hook output" to "hook forward":
| prettyflyfora- wrote: | | Code: |
table ip6 filter {
chain input {
[...]
}
chain forward {
type filter hook forward priority 0; policy drop;
}
|
|
Reason: With a dual stack (IPv4 and IPv6) most programs use IPv6 FIRST ... but FIRST Output had policy "drop"; second output doesnt matter then ...  |
|
| Back to top |
|
|
prettyflyfora-
n00b
Joined: 09 Jul 2021
Posts: 19
|
| Posted: Thu Aug 04, 2022 10:30 pm Post subject: |
|
|
Pietinger, thank you very much.
I cobbled these rules together way too late last night, and a second set of eyes was helpful.
_________________
-whiteguy |
|
| Back to top |
|
|
pietinger
Moderator
Joined: 17 Oct 2006
Posts: 4147
Location: Bavaria
|
| Posted: Thu Aug 04, 2022 10:35 pm Post subject: |
|
|
| prettyflyfora- wrote: | Pietinger, thank you very much.
I cobbled these rules together way too late last night, and a second set of eyes was helpful. |
prettyflyfora-
You are very welcome ! ... Yes, I know these night sessions ...  (=dont ask me how often I ...) |
|
| Back to top |
|
|
|
|
You cannot post new topics in this forum
You cannot reply to topics in this forum
You cannot edit your posts in this forum
You cannot delete your posts in this forum
You cannot vote in polls in this forum
|
|
Networking & Security
