Il 17/04/20 11:01, Alessandro Baggi ha scritto: > Hi list, > > I'm studying nftables. I'm using CentOS 8.1 (Gnome) and I disabled > firewalld. I noticed that a default policy is created with tables and > chains probably for firewalld. > > So I created a .nft script where I stored my rules with a flush for > previous ruleset, then saved on /etc/sysconfig/nftables.conf and the > enabled nftables service. > > Running the script with nft -f script.nft all work as expected but > when rebooting, running nft list ruleset I find my rules and the > default policy (chains and tables) that I would not have in my > configuration. > > My nftables.conf contains only my ruleset. > > For example, running nft list tables I found several default tables like: > > table ip filter > table ip6 filter > table bridge filter > table ip nat > table ip mangle > > So probably there is something that is applying its policy but I > ignore what is. > > Can someone point me in the right direction? > > Thank you in advance. > Hi have not received any replies but I tried to investigate. After checking configuration files in my system I supposed that this could caused by a daemon, so I found that libvirtd push some rules. running virsh nwfilter-list I get: UUID Nome ------------------------------------------------------------------ 34fe8cba-af99-4438-8efc-b135143425e2 allow-arp dc110112-3824-4cf3-946f-ba6e15cd29c3 allow-dhcp fecc383a-bab5-465d-a5be-98834fb626ce allow-dhcp-server 761e7132-8738-47c2-8101-275d6fd6a347 allow-incoming-ipv4 d37b017f-8f21-4ad0-9fa6-052a5cb1ed2e allow-ipv4 a8c740d5-328c-452e-bae7-9828c54f95b7 clean-traffic 296bdfad-11d9-4aa0-9817-4656ef2be6e5 clean-traffic-gateway 69215a61-bff5-482a-b913-589bb1ce18f2 no-arp-ip-spoofing 70c61f0a-c005-407f-843d-d13c2495f05d no-arp-mac-spoofing 386cd2f4-7272-43e2-ba1f-80cb3518649c no-arp-spoofing 9117fa21-e3d6-4c32-9cdf-af97ebd6599e no-ip-multicast 7a964470-4f74-4eef-9fec-a0e9a79e168d no-ip-spoofing 8c9e45a3-5d44-4641-b23d-eded5c1f1632 no-mac-broadcast 82dcd4f0-f55a-43ad-b520-d4c8d4bf37cd no-mac-spoofing bdd0ba54-7ce0-4a2c-9c25-c24072d364ba no-other-l2-traffic fc50783e-d32b-42ba-8380-7576c4388244 no-other-rarp-traffic edfc1bb3-b325-4f8d-8c5b-423e55da66eb qemu-announce-self 8556bd82-dc97-47b0-b573-5986ebbad3b2 qemu-announce-self-rarp If I will remove these libvirt filters I will get errors? Thank you in advance.