求助 nftables ipv6 相关

配置了 nftables IPv6 防火墙, 打算是开放 22 和 1874 端口

发现更新配置后, 有时候配置不起效, 改成完全开放端口, 再改回去, 端口限制才会起效

也有时候起效了, 但只能持续一段时间, 过一段时间之后就无法访问

现在关闭 IPV6 防火墙之后是完全可以正常访问的

求助这里是有什么问题吗?

这里是整张配置表, 也顺便配置了路由

flush ruleset

define DEV_WORLD = enp0
define DEV_LAN = enp1
define DEV_WLAN = wlp

define DEV_COM = podman0
define NET_PRIVATE = 192.168.1.0/22
define NET_COM = 10.88.0.0/16


table ip global {

   chain inbound_world {
        icmp type echo-request limit rate 5/second accept
        ip protocol . th dport vmap {udp . 53 : accept, tcp . 53 : accept, udp . 67 : accept}
    }

    chain inbound_private_lan {
        icmp type echo-request limit rate 5/second accept
        ip protocol . th dport vmap {tcp . 22 : accept, udp . 53 : accept, tcp . 53 : accept, udp . 67 : accept, tcp . 1874 : accept}
    }

    chain inbound_private_wlan {
        icmp type echo-request limit rate 5/second accept
        ip protocol . th dport vmap {tcp . 22 : accept, udp . 53 : accept, tcp . 53 : accept, udp . 67 : accept, tcp . 1874 : accept}
    }

    chain inbound {
        type filter hook input priority 0; policy drop;
        ct state vmap {established : accept, related : accept, invalid : drop}
        iifname vmap {lo : accept, $DEV_WORLD : jump inbound_world, $DEV_LAN : jump inbound_private_lan, $DEV_WLAN : jump inbound_private_wlan}
    }

    chain forward {
        type filter hook forward priority 0; policy drop;
        ct state vmap {established : accept, related : accept, invalid : drop}
        meta iifname . meta oifname {$DEV_LAN . $DEV_WORLD, $DEV_WLAN . $DEV_WORLD, $DEV_WORLD . $DEV_LAN, $DEV_WORLD . $DEV_WLAN, $DEV_LAN . $DEV_WLAN, $DEV_WLAN . $DEV_LAN, $DEV_COM . $DEV_WORLD, $DEV_WORLD . $DEV_COM} accept
    }

    chain postrouting {
        type nat hook postrouting priority 100; policy accept;
        ip saddr $NET_PRIVATE meta oifname $DEV_WORLD counter masquerade
        ip saddr $NET_COM meta oifname $DEV_WORLD counter masquerade
    }
}

table ip6 ip6global {

    chain inbound_world {icmpv6 type { echo-request, nd-neighbor-solicit} limit rate 5/second accept
        tcp dport {22, 1874} accept #生效后, 一段时间后失效
    }

    chain inbound {
        type filter hook input priority 0; policy drop;
        ct state vmap {established : accept, related : accept, invalid : drop}
        iifname vmap {lo : accept, $DEV_WORLD : jump inbound_world}
    }

}