nftables interface not available at boot?

H

HyPX

New Member
Nov 23, 2020
4
0
1
I'm using nftables to implement firewall rules. I have some rules which I need to apply to vmbr1 and the fwbr interfaces. I create my test config file thus:

Code: 
#!/usr/sbin/nft -f

flush ruleset

table netdev filterearly {
        chain ingress {
                type filter hook ingress device enp3s0 priority 0; policy accept;

        meta iif vmbr1 ip daddr 192.168.0.0/16 accept;
        }
}

nft -f /etc/nftables.conf successfully loads the configuration. However upon reboot my nft list ruleset is blank. With systemctl status nftables I find that the "interface does not exist":

Code: 
● nftables.service - nftables
   Loaded: loaded (/lib/systemd/system/nftables.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Mon 2020-12-14 15:41:53 GMT; 5min ago
     Docs: man:nft(8)
           http://wiki.nftables.org
  Process: 417 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=1/FAILURE)
 Main PID: 417 (code=exited, status=1/FAILURE)

Dec 14 15:41:53 PXM nft[417]: /etc/nftables.conf:29:18-22: Error: Interface does not exist
Dec 14 15:41:53 PXM nft[417]:         meta iif vmbr1 ip daddr 192.168.0.0/16 accept;
Dec 14 15:41:53 PXM nft[417]:                         ^^^^^
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

This is also the same for the fwbr interfaces. It also gives me errors (after rebooting) when I try to use the virtual interfaces in the netdev ingress chains.

How could I remedy this issue?

Thanks in advance.
 
HyPX said:
I'm using nftables to implement firewall rules. I have some rules which I need to apply to vmbr1 and the fwbr interfaces. I create my test config file thus:

Code: 
#!/usr/sbin/nft -f

flush ruleset

table netdev filterearly {
        chain ingress {
                type filter hook ingress device enp3s0 priority 0; policy accept;

        meta iif vmbr1 ip daddr 192.168.0.0/16 accept;
        }
}

nft -f /etc/nftables.conf successfully loads the configuration. However upon reboot my nft list ruleset is blank. With systemctl status nftables I find that the "interface does not exist":

Code: 
● nftables.service - nftables
   Loaded: loaded (/lib/systemd/system/nftables.service; enabled; vendor preset: enabled)
   Active: failed (Result: exit-code) since Mon 2020-12-14 15:41:53 GMT; 5min ago
     Docs: man:nft(8)
           http://wiki.nftables.org
  Process: 417 ExecStart=/usr/sbin/nft -f /etc/nftables.conf (code=exited, status=1/FAILURE)
Main PID: 417 (code=exited, status=1/FAILURE)

Dec 14 15:41:53 PXM nft[417]: /etc/nftables.conf:29:18-22: Error: Interface does not exist
Dec 14 15:41:53 PXM nft[417]:         meta iif vmbr1 ip daddr 192.168.0.0/16 accept;
Dec 14 15:41:53 PXM nft[417]:                         ^^^^^
Warning: Journal has been rotated since unit was started. Log output is incomplete or unavailable.

This is also the same for the fwbr interfaces. It also gives me errors (after rebooting) when I try to use the virtual interfaces in the netdev ingress chains.

How could I remedy this issue?

Thanks in advance.
Click to expand...
vmbr1 (as well as all other bridges) does not exist at boot time, only after ifup has been processed. Should work if you put the service as post-up in /etc/network/interfaces
 
You must log in or register to reply here.
Top Bottom