# newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }`, more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/

1 files changed, 7 insertions, 9 deletions

diff --git a/etc/nftables.conf b/etc/nftables.conf
index eae3bbe4..e2e83f5c 100644
--- a/etc/nftables.conf
+++ b/etc/nftables.conf
@@ -3,9 +3,10 @@
 # IPv4/IPv6 Simple & Safe firewall ruleset.
 # More examples in /usr/share/nftables/ and /usr/share/doc/nftables/examples/.
 
-# some codes from:
+# references, some codes from:
 # https://wiki.archlinux.org/title/Nftables
 # https://www.procustodibus.com/blog/2021/11/wireguard-nftables
+# https://wiki.gentoo.org/wiki/Nftables/Examples#Basic_NAT
 
 # needed for reload config using `sudo systemctl restart nftables` or `sudo nft -f /etc/nftables.conf`
 flush ruleset
@@ -56,18 +57,15 @@ table inet my_table {
 	}
 }
 
-# https://wiki.gentoo.org/wiki/Nftables/Examples#Basic_NAT
-# needed by wireguard?
+# needed to wireguard NAT masquerade VPN traffic
 # Need inet to masquerade both ipv4 and ipv6? If use ip it will only masquerade ipv4? If use ip6 it will only masquerade ipv6?
 # https://wiki.nftables.org/wiki-nftables/index.php/Nftables_families
 table inet nat {
-	chain prerouting {
-		type nat hook prerouting priority 0; policy accept;
-	}
-
-	# for all packets to WAN, after routing, replace source address with primary IP of WAN interface
+	# newer kernel no need for `chain prerouting { type nat hook prerouting priority -100; policy accept; }`, more see https://www.procustodibus.com/blog/2021/11/wireguard-nftables/
+	# for all packets to $pub_iface, after routing, replace source address with primary IP of $pub_iface interface
 	chain postrouting {
-		type nat hook postrouting priority 100; policy accept;
+		type nat hook postrouting priority 100
+		policy accept
 		oifname $pub_iface masquerade
 	}
 }