Re: nftables and libvirt bridge network

To: debian-user@lists.debian.org
Subject: Re: nftables and libvirt bridge network
From: Sven Hartge <sven@svenhartge.de>
Date: Sun, 8 Dec 2019 12:49:33 +0100
Message-id: <[🔎] 7ftlcq6qmghv8@mids.svenhartge.de>
References: <[🔎] 20191208103639.GA3139@imap.mailbox.org>

Benedikt Tuchen <benedikt.tuchen@mailbox.org> wrote:

> I use nftables as my firewall and setup the nftables.conf today. My
> firewall rules are based on whitelisting. Everything is dropped from
> INPUT and FORWARD as long as there is no specific rule for it. For
> my libvirt network interface virbr1 there are also some rules. I
> enabled the nftables.server so my firewall gets setup on startup.

> Now there is a problem. The libvirt network interfaces are not
> available this early in boot state. The nftables.service fails
> because it can't find the virbr1.

> UNIT settings for the nftables.service:
>    Wants=network-pre.target
>    Before=network-pre.target shutdown.target
>    Conflicts=shutdown.target

> What is a good way to fix this problem?

Do you use "iif" or "oif" to match on the interface for libvirt?

If yes, then you need to change this to use "iifname" or "oifname" ,
because "iif"/"oif" can only be used to match on existing interfaces.

https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes

Grüße,
Sven.

-- 
Sigmentation fault. Core dumped.

Reply to:

Follow-Ups:
- Re: nftables and libvirt bridge network
  - From: Benedikt Tuchen <benedikt.tuchen@mailbox.org>

References:
- nftables and libvirt bridge network
  - From: Benedikt Tuchen <benedikt.tuchen@mailbox.org>

Prev by Date: Re: [OT] Google security (was: dropbox security situation)
Next by Date: Re: nftables and libvirt bridge network
Previous by thread: nftables and libvirt bridge network
Next by thread: Re: nftables and libvirt bridge network
Index(es):
- Date
- Thread