nftables test cheat sheet simplified rules to test nfqws and tpws For DNAT : # run tpws as user "tpws". its required to avoid loops. nft delete table inet ztest nft create table inet ztest nft add chain inet ztest pre "{type nat hook prerouting priority dstnat;}" nft add rule inet ztest pre tcp dport "{80,443}" redirect to :988 nft add chain inet ztest out "{type nat hook output priority -100;}" nft add rule inet ztest out tcp dport "{80,443}" skuid != tpws redirect to :988 For dpi desync attack : nft delete table inet ztest nft create table inet ztest nft add chain inet ztest post "{type filter hook postrouting priority mangle;}" nft add rule inet ztest post meta mark and 0x40000000 == 0 tcp dport "{80,443}" ct original packets 1-6 queue num 200 bypass nft add rule inet ztest post meta mark and 0x40000000 == 0 udp dport 443 ct original packets 1-6 queue num 200 bypass # auto hostlist with avoiding wrong ACK numbers in RST,ACK packets sent by russian DPI sysctl net.netfilter.nf_conntrack_tcp_be_liberal=1 nft add chain inet ztest pre "{type filter hook prerouting priority filter;}" nft add rule inet ztest pre tcp sport "{80,443}" ct reply packets 1-3 queue num 200 bypass show rules : nft list table inet ztest delete table : nft delete table inet ztest