On Thu, Aug 16, 2018 at 09:26:20AM +0200, Phil Sutter wrote: > On Wed, Aug 15, 2018 at 11:33:47PM +0200, Florian Westphal wrote: > > Phil Sutter <phil@xxxxxx> wrote: [...] > > Not pretty but I'd find it much better than adding this to the kernel. > > I think Eric can work around this limitation by inserting such rules > from firewalld. The question is whether we still want to have it in > ebtables-nft for sake of consistency with legacy ebtables. If so, I > would have a look at the hidden last rule idea. What are your opinions? We can explore implementing this from userspace, from ebtables-nft, so it will transparent for firewalld. We can place struct udata_type into libnftnl and use NFTA_RULE_USERDATA to store a new attribute, eg. UDATA_TYPE_BRIDGE_POLICY, that allows ebtables-nft to identify what rule stores the bridge policy, so last rule plus UDATA_TYPE_BRIDGE_POLICY userdata attribute tells us this is the default policy rule. It will be a bit extra work from userspace, but it's doable and we avoid adding default policy for non-base chains into the kernel.
