The /usr/libexec/nftables/nftables.sh script relies on "nft list" to save the current state: nft ${SAVE_OPTIONS} list ${line} >> ${tmp_save} However (at least in my systems) the dnat rules are incomplete when shown: # nft add table ip nat # nft add chain nat prerouting { type nat hook prerouting priority 0 \; } # nft add rule nat prerouting tcp dport 12345 dnat 10.10.10.2:23456 # nft list table nat table ip nat { chain prerouting { type nat hook prerouting priority 0; policy accept; tcp dport 12345 dnat to :23456 } } "nft list table nat" doesn't show the ip address (but it's loaded correctly, because the rule works fine), so it is not saved by /etc/init.d/nftables. Thus, the rule works when I introduce it manually, but it stops working when restored by the init script at boot.
This is already fixed by =net-firewall/nftables-0.8-r3