Where are nftables ip filter chain default rules configured in Fedora Workstation 36

I recently upgraded my Fedora 36 installation and I have found that by default I cannot access the i internet or any host on the network. My ethernet card is “eno2” and in Firewalld is configured in the FedoraWorkstation zone. With Firewalld, I cannot find any sort of rule that is affecting the output traffic. After some troubleshooting, I found that there are nftables rules that are preventing the traffic:

root@fedora nftables]# nft -a list ruleset ip
table ip filter { # handle 2
        chain INPUT { # handle 1
                type filter hook input priority filter; policy accept;
                iifname "wlo1" counter packets 0 bytes 0 drop # handle 5
                iifname "eno2" counter packets 179 bytes 20719 drop # handle 2

        chain OUTPUT { # handle 3
                type filter hook output priority filter; policy accept;
                oifname "wlo1" counter packets 0 bytes 0 drop # handle 6
                oifname "eno2" counter packets 14331 bytes 1139486 drop # handle 4

If I delete these drop rules in the INPUT and OUTPUT chain, everything works as it did before the upgrade.

nft delete rule ip filter OUTPUT handle 4
nft delete rule ip filter INPUT handle 2

I searched the /etc/nftables directory and /etc/firewalld directory for some sort of configuration file that would be the source of the rules, but I cannot find anything. I’d rather not have to run these commands manually every time I boot the workstation. Where would I find this configuration on a Fedora system? For reference, /etc/nftables/main.nft is provided below:

[root@fedora nftables]# cat main.nft
# Sample configuration for nftables service.
# Load this by calling 'nft -f /etc/nftables/main.nft'.

# Note about base chain priorities:
# The priority values used in these sample configs are
# offset by 20 in order to avoid ambiguity when firewalld
# is also running which uses an offset of 10. This means
# that packets will traverse firewalld first and if not
# dropped/rejected there will hit the chains defined here.
# Chains created by iptables, ebtables and arptables tools
# do not use an offset, so those chains are traversed first
# in any case.

# drop any existing nftables ruleset
flush ruleset

# a common table for both IPv4 and IPv6
table inet nftables_svc {

        # protocols to allow
        set allowed_protocols {
                type inet_proto
                elements = { icmp, icmpv6 }

        # interfaces to accept any traffic on
        set allowed_interfaces {
                type ifname
                elements = { "lo" }

        # services to allow
        set allowed_tcp_dports {
                type inet_service
                elements = { ssh, 9090 }

        # this chain gathers all accept conditions
        chain allow {
                ct state established,related accept

                meta l4proto @allowed_protocols accept
                iifname @allowed_interfaces accept
                tcp dport @allowed_tcp_dports accept

        # base-chain for traffic to this host
        chain INPUT {
                type filter hook input priority filter + 20
                policy accept

                jump allow
                reject with icmpx type port-unreachable

# By default, any forwarding traffic is allowed.
# Uncomment the following line to filter it based
# on the same criteria as input traffic.
#include "/etc/nftables/router.nft"

# Uncomment the following line to enable masquerading of
# forwarded traffic. May be used with or without router.nft.
#include "/etc/nftables/nat.nft"

I don’t see anything about the OUTPUT chain in this configuration file, and there are no other files being pulled in by this main.nft file. Furthermore, with Firewalld, I don’t see anything in the firewalld XML files regarding interface “eno2” except that it is attached to the FedoraWorkstation zone.

Welcome any ideas also of places to look, this is really frustrating as everything was working fine until and I ran “dnf update” recently.

1 Like

I’m facing similar issues trying to get split tunneling working with nftables and MullvadVPN. Did you ever find the config files you were looking for?

Firewalld can only use the direct interface to generate the rules listed in the OP, otherwise it must be related to some other service.

1 Like