nftables interface not available at boot?

HyPX

New Member
Nov 23, 2020
4
0
1
I'm using nftables to implement firewall rules. I have some rules which I need to apply to vmbr1 and the fwbr interfaces. I create my test config file thus:

Code:
#!/usr/sbin/nft -f

flush ruleset

table netdev filterearly {
        chain ingress {
                type filter hook ingress device enp3s0 priority 0; policy accept;

        meta iif vmbr1 ip daddr 192.168.0.0/16 accept;
        }
}

nft -f /etc/nftables.conf successfully loads the configuration. However upon reboot my nft list ruleset is blank. With systemctl status nftables I find that the "interface does not exist":

Code:
● nftables.service - nftables
   Loaded: loaded (/lib/systemd/system/nftables.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Mon 2020-12-14 15:41:53 GMT; 5min ago
     Docs: man:nft(8)
           http://wiki.nftables.org
  Process: 417 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=1/FAILURE)
 Main PID: 417 (code=exited, status=1/FAILURE)

Dec 14 15:41:53 PXM nft[417]: /etc/nftables.conf:29:18-22: Error: Interface does not exist
Dec 14 15:41:53 PXM nft[417]:         meta iif vmbr1 ip daddr 192.168.0.0/16 accept;
Dec 14 15:41:53 PXM nft[417]:                         ^^^^^
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

This is also the same for the fwbr interfaces. It also gives me errors (after rebooting) when I try to use the virtual interfaces in the netdev ingress chains.

How could I remedy this issue?

Thanks in advance.
 
I'm using nftables to implement firewall rules. I have some rules which I need to apply to vmbr1 and the fwbr interfaces. I create my test config file thus:

Code:
#!/usr/sbin/nft -f

flush ruleset

table netdev filterearly {
        chain ingress {
                type filter hook ingress device enp3s0 priority 0; policy accept;

        meta iif vmbr1 ip daddr 192.168.0.0/16 accept;
        }
}

nft -f /etc/nftables.conf successfully loads the configuration. However upon reboot my nft list ruleset is blank. With systemctl status nftables I find that the "interface does not exist":

Code:
● nftables.service - nftables
   Loaded: loaded (/lib/systemd/system/nftables.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Mon 2020-12-14 15:41:53 GMT; 5min ago
     Docs: man:nft(8)
           http://wiki.nftables.org
  Process: 417 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=1/FAILURE)
Main PID: 417 (code=exited, status=1/FAILURE)

Dec 14 15:41:53 PXM nft[417]: /etc/nftables.conf:29:18-22: Error: Interface does not exist
Dec 14 15:41:53 PXM nft[417]:         meta iif vmbr1 ip daddr 192.168.0.0/16 accept;
Dec 14 15:41:53 PXM nft[417]:                         ^^^^^
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

This is also the same for the fwbr interfaces. It also gives me errors (after rebooting) when I try to use the virtual interfaces in the netdev ingress chains.

How could I remedy this issue?

Thanks in advance.
vmbr1 (as well as all other bridges) does not exist at boot time, only after ifup has been processed. Should work if you put the service as post-up in /etc/network/interfaces
 

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!