nftables on Alpine Linux vs. Archlinux

By chimo on (updated on )

One thing I forgot about regarding the Archlinux “nftables” systemd unit file, is that stopping the nftables service doesn’t flush the ruleset. If you want the rules gone, you need to run “nft flush ruleset”.

This is different than Alpine Linux, where stopping the service does flush the nftables ruleset.

You can see the difference in behaviour by running “nft list ruleset” after stopping the service.

Archlinux 
# Stop the service
chimo@arch:~$ sudo systemctl stop nftables
# List the ruleset
chimo@arch:~$ nft list ruleset
chain input {
  type filter hook input priority filter; policy drop;
  ct state invalid drop comment "early drop of invalid connections"
  ct state { established, related } accept comment "allow tracked connections"
  iif "lo" accept comment "allow from loopback"
  ip protocol icmp accept comment "allow icmp"
  meta l4proto ipv6-icmp accept comment "allow icmp v6"
  tcp dport 22 accept comment "allow sshd"
  meta pkttype host limit rate 5/second burst 5 packets counter packets 0 bytes 0 reject with icmpx admin-prohibited
  counter packets 0 bytes 0
}

chain forward {
  type filter hook forward priority filter; policy drop;
}
Alpine Linux 
# Stop the service
chimo@alpine:~$ doas service nftables stop
# List the ruleset
chimo@alpine:~$ nft list ruleset
chimo@alpine:~$

We can see that the Alpine Linux init script does the flush for you at the end of the stop() function (line 14):

/etc/init.d/nftables 
 1
 2
 3
 4
 5
 6
 7
 8
 9
10
11
12
13
14
15
16
17

# ...
stop() {
  if yesno "$save_on_stop"; then
          save || return 1
  fi

  if yesno "$enable_forwarding"; then
          ebegin "Disabling forwarding"
          forwarding 0
          eend $? 
  fi

  ebegin "Stopping firewall"
  $nft flush ruleset
  eend $?
}
# ...