From 0ac5d7d46133dc35e7034554ceccc283951bcf43 Mon Sep 17 00:00:00 2001
From: RaffaelHold <RaffaelHold@users.noreply.github.com>
Date: Mon, 12 Jan 2026 08:21:18 +0100
Subject: [PATCH] feat(docs): Extend docs for routed setup with nftables
 (#2380)

* Extend docs for routed setup with nftables

When using nftables in a routed setup different up and down hooks need to be used.
To limit interaction with docker managed chains a custom WG_EASY chain is added as a jump target.
Since nft only supports deletion via handles awk is needed to get the handle of the jump rule for deletion

* Remove link to podman-nft

* Fix formatting according to prettier rules

* Add additional whitespace
---
 docs/content/examples/tutorials/routed.md | 16 ++++++++++++++++
 1 file changed, 16 insertions(+)

diff --git a/docs/content/examples/tutorials/routed.md b/docs/content/examples/tutorials/routed.md
index b72eb647..3ed4070d 100644
--- a/docs/content/examples/tutorials/routed.md
+++ b/docs/content/examples/tutorials/routed.md
@@ -93,3 +93,19 @@ PostDown
 ```shell
 iptables -D INPUT -p udp -m udp --dport {{port}} -j ACCEPT; iptables -D FORWARD -i wg0 -j ACCEPT; iptables -D FORWARD -o wg0 -j ACCEPT; ip6tables -D INPUT -p udp -m udp --dport {{port}} -j ACCEPT; ip6tables -D FORWARD -i wg0 -j ACCEPT; ip6tables -D FORWARD -o wg0 -j ACCEPT
 ```
+
+/// warning | Important: When using nftables use the following hooks instead.
+
+PostUp
+
+```shell
+nft add chain ip filter WG_EASY; nft add rule ip filter DOCKER-USER jump WG_EASY; nft add rule ip filter WG_EASY iifname {{device}} accept; nft add rule ip filter WG_EASY oifname {{device}} accept; nft add chain ip6 filter WG_EASY; nft add rule ip6 filter DOCKER-USER jump WG_EASY; nft add rule ip6 filter WG_EASY iifname {{device}} accept; nft add rule ip6 filter WG_EASY oifname {{device}} accept;
+```
+
+PostDown
+
+```shell
+nft delete rule ip filter DOCKER-USER handle $(nft -a list chain ip filter DOCKER-USER | awk '/jump WG_EASY/ {print $NF}'); nft flush chain ip filter WG_EASY; nft delete chain ip filter WG_EASY; nft delete rule ip6 filter DOCKER-USER handle $(nft -a list chain ip6 filter DOCKER-USER | awk '/jump WG_EASY/ {print $NF}'); nft flush chain ip6 filter WG_EASY; nft delete chain ip6 filter WG_EASY
+```
+
+///