Accepting and dropping packets

From nftables wiki
Jump to: navigation, search

Dropping packets

You can use the drop option to drop packets. Note that drop is a terminating action, so you cannot add any other action after it.

nft add rule filter output drop

Beware when testing this, you'll likely lose any Internet connectivity :-).

Accepting packets

A simple rule to accept any sort of traffic is:

nft add rule filter output accept

You can add counters to that rule:

nft add rule filter output counter accept

So you can watch that all traffic is actually accepted:

nft list table filter
table ip filter {
        chain output {
                 type filter hook output priority 0;
                 counter packets 1 bytes 84 accept
        }
}