# Sample configuration snippet for nftables service. # Meant to be included by main.nft, not for direct use. # dedicated table for IPv4 table ip nftables_svc { # interfaces to masquerade traffic from set masq_interfaces { type ifname elements = { "virbr0" } } # networks to masquerade traffic from # 'interval' flag is required to support subnets set masq_ips { type ipv4_addr flags interval elements = { 192.168.122.0/24 } } # [CVE-2021-3773] force port randomization for non-locally originated # connections using suspicious port values to prevent port-shadow # attacks, i.e. accidental matching of new inbound connections vs. # existing ones chain do_masquerade { meta iif > 0 th sport < 16384 th dport >= 32768 masquerade random masquerade } # base-chain to manipulate conntrack in postrouting, # will see packets for new or related traffic only chain POSTROUTING { type nat hook postrouting priority srcnat + 20 policy accept iifname @masq_interfaces oifname != @masq_interfaces jump do_masquerade ip saddr @masq_ips jump do_masquerade } }