Hi Elrik, Thanks for reporting your issue to Ubuntu, and apologies for the delayed response. Can you say explicitly what behavior you're expecting to have work that does not? I.E. are ssh connections to the host unsuccessful or are other outbound operations failing?
Some useful diagnostics to see what's happening would be to install the conntrack package and then run: $ sudo conntrack -L -o id,extended to see what connections it's tracking. Additionally, it would probably be useful to add a log rule at the end of the input chain to see what's failing; something like: log prefix "[nftables] input denied: " flags all counter drop and then looking at dmesg output, journalctl output, or /var/log/kern.log can tell you what is getting blocked. It should be noted that Ubuntu 20.04 uses systemd-resolved as its DNS resolver and depending on whether you've adjusted your DNS settings, with the nftables configuration above, likely the problem you're seeing is that connections to the resolver listening on the loopback interface (ip addr 127.0.0.53) are being blocked; in my testing, this showed up looking like: [nftables] input denied: IN=lo OUT= MAC=00:00:00:00:00:00:00:00:00:00:00:00:08: 00 SRC=127.0.0.1 DST=127.0.0.53 LEN=86 TOS=0x00 PREC=0x00 TTL=64 ID=11108 DF PROTO=UDP SPT=45001 DPT=53 LEN=66 Given that, adding a rule like: udp dport 53 ip saddr 127.0.0.1 accept on the input chain caused outbound initiated network traffic to work. Is this what you were seeing or is there some other behavior you were expecting that did not work? Thanks. ** Changed in: nftables (Ubuntu) Status: New => Incomplete -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/1888076 Title: nftables can't be statefull To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/nftables/+bug/1888076/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs