On Sun, Jan 10, 2021 at 07:12:04PM +0100, François Patte wrote: > So, I think that some script, somewhere, intercepts the nftables config but > I don't understand how.
I suspect you're running into the legacy compatibility converter for the old iptables rules (iptables-nft). IIRC that may kick in if it detects that some old iptables kernel modules have been loaded and overwrite your rules with the autoconverted old rules. If they are loaded you may have to manually unload them first. I run nftables and on my system the command lsmod | grep 'x_\|table\|nft' gives this output: iptable_filter 16384 0 nft_fib_inet 16384 1 nft_fib_ipv4 16384 1 nft_fib_inet nft_fib_ipv6 16384 1 nft_fib_inet nft_fib 16384 3 nft_fib_ipv6,nft_fib_ipv4,nft_fib_inet nft_counter 16384 28 nft_redir_ipv6 16384 1 nft_chain_nat_ipv6 16384 1 nf_nat_ipv6 16384 1 nft_chain_nat_ipv6 nft_redir_ipv4 16384 1 nft_redir 16384 2 nft_redir_ipv6,nft_redir_ipv4 nft_objref 16384 4 nft_log 16384 13 nf_tables_set 32768 28 nft_ct 20480 92 nft_chain_nat_ipv4 16384 1 nf_nat_ipv4 16384 1 nft_chain_nat_ipv4 nf_nat 36864 4 nf_nat_ipv6,nf_nat_ipv4,nft_redir_ipv6,nft_redir_ipv4 nf_conntrack 172032 9 nf_nat,nft_ct,nf_nat_ipv6,nf_nat_ipv4,nf_conntrack_sip,nft_redir,nf_conntrack_netlink,nft_redir_ipv6,nft_redir_ipv4 nf_tables 143360 448 nft_ct,nft_log,nft_chain_nat_ipv6,nft_chain_nat_ipv4,nft_fib_ipv6,nft_objref,nft_redir,nft_fib_ipv4,nft_counter,nft_redir_ipv6,nft_redir_ipv4,nf_tables_set,nft_fib,nft_fib_inet nfnetlink 16384 8 nf_conntrack_netlink,nf_tables ip_tables 28672 1 iptable_filter x_tables 45056 2 iptable_filter,ip_tables If you have e.g. iptable_mangle or any other of the ipt_ modules listed by ls /lib/modules/$(uname -r)/kernel/net/ipv4/netfilter/ipt_* loaded, unload them first with rmmod. For that you have to first flush the tables with iptables -F as otherwise the rules might prevent a module from being unloaded. Also some scripts may be thrown off if some symlinks are configured in a certain way through the update-alternatives subsystem. On my system update-alternatives --list iptables gives: /usr/sbin/iptables-legacy /usr/sbin/iptables-nft My symlink still points to iptables-legacy (which was probably the version that worked as I needed it during the migration), but since I no longer use that and have forgotten exactly how it affected all of this you may have to figure that out on your own. If all else fails you may have to uninstall any iptables packages altogether to eliminate all possible sources of interference. Good luck, Dennis.