nftables

[alembiq]

Great work, i just have a minor issue. Debian 10 + systemd + nftables....

it still uses iptables, would it be possible to add support for nftables too?

[bartgrefte]

Last night I had a look at how ip(6)tables is set up by openvpn-install.sh, I used the same method for nftables and here's what I ended up with: openvpn-nftables.zip (.sh isn't supported as attachment?),

Maybe that will give who(m?)ever will be assigned something to start with?

I'm not sure about the default policy though, or the priority setting. Personally, I like to set the default policy for input, output and forward to drop and then allow what's needed. The problem with nftables is that you can choose the name for those chains. So unlike ip(6)tables, you cannot expect chains with the names input, output or forward to be present. This might complicate things, that's why I had the script create chains purely for the VPN-rules, which can exist besides an already present nftables-firewall rule set.

Note: the nftables rules aren't automatically entered, the bash-script only creates the 4 nftables-scripts for adding and deleting the IPv4 and IPv6 rules.

[trochdewei]

I think that support of firewalld may be better alternative - it supports both nftables and iptables by itself

[bartgrefte]

While waiting for this feature request to be processed, maybe it's an idea to add an option to not do anything firewall related? Otherwise nftables users will end up with iptables rules.