$ sudo nft list rulesettable inet firewalld { chain mangle_PREROUTING

1. $ sudo nft list ruleset
2. table inet firewalld {
3. chain mangle_PREROUTING {
4. type filter hook prerouting priority mangle + 10; policy accept;
5. jump mangle_PREROUTING_ZONES
6. }
7.  
8. chain mangle_PREROUTING_POLICIES_pre {
9. jump mangle_PRE_policy_allow-host-ipv6
10. }
11.  
12. chain mangle_PREROUTING_ZONES {
13. iifname "enp0s25" goto mangle_PRE_dmz
14. goto mangle_PRE_public
15. }
16.  
17. chain mangle_PREROUTING_POLICIES_post {
18. }
19.  
20. chain nat_PREROUTING {
21. type nat hook prerouting priority dstnat + 10; policy accept;
22. jump nat_PREROUTING_ZONES
23. }
24.  
25. chain nat_PREROUTING_POLICIES_pre {
26. jump nat_PRE_policy_allow-host-ipv6
27. }
28.  
29. chain nat_PREROUTING_ZONES {
30. iifname "enp0s25" goto nat_PRE_dmz
31. goto nat_PRE_public
32. }
33.  
34. chain nat_PREROUTING_POLICIES_post {
35. }
36.  
37. chain nat_POSTROUTING {
38. type nat hook postrouting priority srcnat + 10; policy accept;
39. jump nat_POSTROUTING_ZONES
40. }
41.  
42. chain nat_POSTROUTING_POLICIES_pre {
43. }
44.  
45. chain nat_POSTROUTING_ZONES {
46. oifname "enp0s25" goto nat_POST_dmz
47. goto nat_POST_public
48. }
49.  
50. chain nat_POSTROUTING_POLICIES_post {
51. }
52.  
53. chain nat_OUTPUT {
54. type nat hook output priority -90; policy accept;
55. jump nat_OUTPUT_POLICIES_pre
56. jump nat_OUTPUT_POLICIES_post
57. }
58.  
59. chain nat_OUTPUT_POLICIES_pre {
60. }
61.  
62. chain nat_OUTPUT_POLICIES_post {
63. }
64.  
65. chain filter_PREROUTING {
66. type filter hook prerouting priority filter + 10; policy accept;
67. icmpv6 type { nd-router-advert, nd-neighbor-solicit } accept
68. meta nfproto ipv6 fib saddr . mark . iif oif missing drop
69. }
70.  
71. chain filter_INPUT {
72. type filter hook input priority filter + 10; policy accept;
73. ct state { established, related } accept
74. ct status dnat accept
75. iifname "lo" accept
76. ct state invalid drop
77. jump filter_INPUT_ZONES
78. reject with icmpx admin-prohibited
79. }
80.  
81. chain filter_FORWARD {
82. type filter hook forward priority filter + 10; policy accept;
83. ct state { established, related } accept
84. ct status dnat accept
85. iifname "lo" accept
86. ct state invalid drop
87. ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
88. jump filter_FORWARD_ZONES
89. reject with icmpx admin-prohibited
90. }
91.  
92. chain filter_OUTPUT {
93. type filter hook output priority filter + 10; policy accept;
94. ct state { established, related } accept
95. oifname "lo" accept
96. ip6 daddr { ::/96, ::ffff:0.0.0.0/96, 2002::/24, 2002:a00::/24, 2002:7f00::/24, 2002:a9fe::/32, 2002:ac10::/28, 2002:c0a8::/32, 2002:e000::/19 } reject with icmpv6 addr-unreachable
97. jump filter_OUTPUT_POLICIES_pre
98. jump filter_OUTPUT_POLICIES_post
99. }
100.  
101. chain filter_INPUT_POLICIES_pre {
102. jump filter_IN_policy_allow-host-ipv6
103. }
104.  
105. chain filter_INPUT_ZONES {
106. iifname "enp0s25" goto filter_IN_dmz
107. goto filter_IN_public
108. }
109.  
110. chain filter_INPUT_POLICIES_post {
111. }
112.  
113. chain filter_FORWARD_POLICIES_pre {
114. }
115.  
116. chain filter_FORWARD_ZONES {
117. iifname "enp0s25" goto filter_FWD_dmz
118. goto filter_FWD_public
119. }
120.  
121. chain filter_FORWARD_POLICIES_post {
122. }
123.  
124. chain filter_OUTPUT_POLICIES_pre {
125. }
126.  
127. chain filter_OUTPUT_POLICIES_post {
128. }
129.  
130. chain filter_IN_public {
131. jump filter_INPUT_POLICIES_pre
132. jump filter_IN_public_pre
133. jump filter_IN_public_log
134. jump filter_IN_public_deny
135. jump filter_IN_public_allow
136. jump filter_IN_public_post
137. jump filter_INPUT_POLICIES_post
138. meta l4proto { icmp, ipv6-icmp } accept
139. reject with icmpx admin-prohibited
140. }
141.  
142. chain filter_IN_public_pre {
143. }
144.  
145. chain filter_IN_public_log {
146. }
147.  
148. chain filter_IN_public_deny {
149. }
150.  
151. chain filter_IN_public_allow {
152. tcp dport 22 accept
153. ip6 daddr fe80::/64 udp dport 546 accept
154. udp dport 631 accept
155. ip daddr 224.0.0.251 udp dport 5353 accept
156. ip6 daddr ff02::fb udp dport 5353 accept
157. tcp dport 631 accept
158. }
159.  
160. chain filter_IN_public_post {
161. }
162.  
163. chain nat_POST_public {
164. jump nat_POSTROUTING_POLICIES_pre
165. jump nat_POST_public_pre
166. jump nat_POST_public_log
167. jump nat_POST_public_deny
168. jump nat_POST_public_allow
169. jump nat_POST_public_post
170. jump nat_POSTROUTING_POLICIES_post
171. }
172.  
173. chain nat_POST_public_pre {
174. }
175.  
176. chain nat_POST_public_log {
177. }
178.  
179. chain nat_POST_public_deny {
180. }
181.  
182. chain nat_POST_public_allow {
183. }
184.  
185. chain nat_POST_public_post {
186. }
187.  
188. chain filter_FWD_public {
189. jump filter_FORWARD_POLICIES_pre
190. jump filter_FWD_public_pre
191. jump filter_FWD_public_log
192. jump filter_FWD_public_deny
193. jump filter_FWD_public_allow
194. jump filter_FWD_public_post
195. jump filter_FORWARD_POLICIES_post
196. reject with icmpx admin-prohibited
197. }
198.  
199. chain filter_FWD_public_pre {
200. }
201.  
202. chain filter_FWD_public_log {
203. }
204.  
205. chain filter_FWD_public_deny {
206. }
207.  
208. chain filter_FWD_public_allow {
209. }
210.  
211. chain filter_FWD_public_post {
212. }
213.  
214. chain nat_PRE_public {
215. jump nat_PREROUTING_POLICIES_pre
216. jump nat_PRE_public_pre
217. jump nat_PRE_public_log
218. jump nat_PRE_public_deny
219. jump nat_PRE_public_allow
220. jump nat_PRE_public_post
221. jump nat_PREROUTING_POLICIES_post
222. }
223.  
224. chain nat_PRE_public_pre {
225. }
226.  
227. chain nat_PRE_public_log {
228. }
229.  
230. chain nat_PRE_public_deny {
231. }
232.  
233. chain nat_PRE_public_allow {
234. }
235.  
236. chain nat_PRE_public_post {
237. }
238.  
239. chain mangle_PRE_public {
240. jump mangle_PREROUTING_POLICIES_pre
241. jump mangle_PRE_public_pre
242. jump mangle_PRE_public_log
243. jump mangle_PRE_public_deny
244. jump mangle_PRE_public_allow
245. jump mangle_PRE_public_post
246. jump mangle_PREROUTING_POLICIES_post
247. }
248.  
249. chain mangle_PRE_public_pre {
250. }
251.  
252. chain mangle_PRE_public_log {
253. }
254.  
255. chain mangle_PRE_public_deny {
256. }
257.  
258. chain mangle_PRE_public_allow {
259. }
260.  
261. chain mangle_PRE_public_post {
262. }
263.  
264. chain filter_IN_policy_allow-host-ipv6 {
265. jump filter_IN_policy_allow-host-ipv6_pre
266. jump filter_IN_policy_allow-host-ipv6_log
267. jump filter_IN_policy_allow-host-ipv6_deny
268. jump filter_IN_policy_allow-host-ipv6_allow
269. jump filter_IN_policy_allow-host-ipv6_post
270. }
271.  
272. chain filter_IN_policy_allow-host-ipv6_pre {
273. }
274.  
275. chain filter_IN_policy_allow-host-ipv6_log {
276. }
277.  
278. chain filter_IN_policy_allow-host-ipv6_deny {
279. }
280.  
281. chain filter_IN_policy_allow-host-ipv6_allow {
282. icmpv6 type nd-neighbor-advert accept
283. icmpv6 type nd-neighbor-solicit accept
284. icmpv6 type nd-router-advert accept
285. icmpv6 type nd-redirect accept
286. }
287.  
288. chain filter_IN_policy_allow-host-ipv6_post {
289. }
290.  
291. chain nat_PRE_policy_allow-host-ipv6 {
292. jump nat_PRE_policy_allow-host-ipv6_pre
293. jump nat_PRE_policy_allow-host-ipv6_log
294. jump nat_PRE_policy_allow-host-ipv6_deny
295. jump nat_PRE_policy_allow-host-ipv6_allow
296. jump nat_PRE_policy_allow-host-ipv6_post
297. }
298.  
299. chain nat_PRE_policy_allow-host-ipv6_pre {
300. }
301.  
302. chain nat_PRE_policy_allow-host-ipv6_log {
303. }
304.  
305. chain nat_PRE_policy_allow-host-ipv6_deny {
306. }
307.  
308. chain nat_PRE_policy_allow-host-ipv6_allow {
309. }
310.  
311. chain nat_PRE_policy_allow-host-ipv6_post {
312. }
313.  
314. chain mangle_PRE_policy_allow-host-ipv6 {
315. jump mangle_PRE_policy_allow-host-ipv6_pre
316. jump mangle_PRE_policy_allow-host-ipv6_log
317. jump mangle_PRE_policy_allow-host-ipv6_deny
318. jump mangle_PRE_policy_allow-host-ipv6_allow
319. jump mangle_PRE_policy_allow-host-ipv6_post
320. }
321.  
322. chain mangle_PRE_policy_allow-host-ipv6_pre {
323. }
324.  
325. chain mangle_PRE_policy_allow-host-ipv6_log {
326. }
327.  
328. chain mangle_PRE_policy_allow-host-ipv6_deny {
329. }
330.  
331. chain mangle_PRE_policy_allow-host-ipv6_allow {
332. }
333.  
334. chain mangle_PRE_policy_allow-host-ipv6_post {
335. }
336.  
337. chain filter_IN_dmz {
338. jump filter_INPUT_POLICIES_pre
339. jump filter_IN_dmz_pre
340. jump filter_IN_dmz_log
341. jump filter_IN_dmz_deny
342. jump filter_IN_dmz_allow
343. jump filter_IN_dmz_post
344. jump filter_INPUT_POLICIES_post
345. meta l4proto { icmp, ipv6-icmp } accept
346. reject with icmpx admin-prohibited
347. }
348.  
349. chain filter_IN_dmz_pre {
350. }
351.  
352. chain filter_IN_dmz_log {
353. }
354.  
355. chain filter_IN_dmz_deny {
356. }
357.  
358. chain filter_IN_dmz_allow {
359. tcp dport 22 accept
360. }
361.  
362. chain filter_IN_dmz_post {
363. }
364.  
365. chain nat_POST_dmz {
366. jump nat_POSTROUTING_POLICIES_pre
367. jump nat_POST_dmz_pre
368. jump nat_POST_dmz_log
369. jump nat_POST_dmz_deny
370. jump nat_POST_dmz_allow
371. jump nat_POST_dmz_post
372. jump nat_POSTROUTING_POLICIES_post
373. }
374.  
375. chain nat_POST_dmz_pre {
376. }
377.  
378. chain nat_POST_dmz_log {
379. }
380.  
381. chain nat_POST_dmz_deny {
382. }
383.  
384. chain nat_POST_dmz_allow {
385. }
386.  
387. chain nat_POST_dmz_post {
388. }
389.  
390. chain filter_FWD_dmz {
391. jump filter_FORWARD_POLICIES_pre
392. jump filter_FWD_dmz_pre
393. jump filter_FWD_dmz_log
394. jump filter_FWD_dmz_deny
395. jump filter_FWD_dmz_allow
396. jump filter_FWD_dmz_post
397. jump filter_FORWARD_POLICIES_post
398. reject with icmpx admin-prohibited
399. }
400.  
401. chain filter_FWD_dmz_pre {
402. }
403.  
404. chain filter_FWD_dmz_log {
405. }
406.  
407. chain filter_FWD_dmz_deny {
408. }
409.  
410. chain filter_FWD_dmz_allow {
411. oifname "enp0s25" accept
412. }
413.  
414. chain filter_FWD_dmz_post {
415. }
416.  
417. chain nat_PRE_dmz {
418. jump nat_PREROUTING_POLICIES_pre
419. jump nat_PRE_dmz_pre
420. jump nat_PRE_dmz_log
421. jump nat_PRE_dmz_deny
422. jump nat_PRE_dmz_allow
423. jump nat_PRE_dmz_post
424. jump nat_PREROUTING_POLICIES_post
425. }
426.  
427. chain nat_PRE_dmz_pre {
428. }
429.  
430. chain nat_PRE_dmz_log {
431. }
432.  
433. chain nat_PRE_dmz_deny {
434. }
435.  
436. chain nat_PRE_dmz_allow {
437. }
438.  
439. chain nat_PRE_dmz_post {
440. }
441.  
442. chain mangle_PRE_dmz {
443. jump mangle_PREROUTING_POLICIES_pre
444. jump mangle_PRE_dmz_pre
445. jump mangle_PRE_dmz_log
446. jump mangle_PRE_dmz_deny
447. jump mangle_PRE_dmz_allow
448. jump mangle_PRE_dmz_post
449. jump mangle_PREROUTING_POLICIES_post
450. }
451.  
452. chain mangle_PRE_dmz_pre {
453. }
454.  
455. chain mangle_PRE_dmz_log {
456. }
457.  
458. chain mangle_PRE_dmz_deny {
459. }
460.  
461. chain mangle_PRE_dmz_allow {
462. }
463.  
464. chain mangle_PRE_dmz_post {
465. }
466. }
467. table inet lxc {
468. chain input {
469. type filter hook input priority filter; policy accept;
470. iifname "lxcbr0" udp dport { 53, 67 } accept
471. iifname "lxcbr0" tcp dport { 53, 67 } accept
472. }
473.  
474. chain forward {
475. type filter hook forward priority filter; policy accept;
476. iifname "lxcbr0" accept
477. oifname "lxcbr0" accept
478. }
479. }
480. table ip lxc {
481. chain postrouting {
482. type nat hook postrouting priority srcnat; policy accept;
483. ip saddr 10.0.3.0/24 ip daddr != 10.0.3.0/24 counter packets 3 bytes 219 masquerade
484. }
485. }
486.