Hello,
I hope this is the correct list to post to (based on info on
https://netfilter.org/mailinglists.html), I apologize for the noise if
not.
I am trying to replace these iptables rules:
iptables -P FORWARD DROP
iptables -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT
The machine is a VM host and has multiple bridge interfaces connecting
the VMs into physical networks, mostly 2 (internet and internal),
sometimes more, which are created on-demand. The host needs to be able
to forward some traffic between networks (ie.
sys.net.ipv4.ip_forward=1), but generally, forwarding between networks
needs to be blocked, so setting policy to accept is not an option
I found a workaround for static bridges:
table inet filter {
chain forward {
type filter hook forward priority 0
policy drop
iifname "br0" oifname "br0" accept
iifname "br1" oifname "br1" accept
}
}
However, the VM host also creates bridge interfaces on-demand. The
iptables rule above takes care of them, but by switchting to nftables I
would need to come up with a way to add a rule corresponding to every
interface created. It would be really convenient to have something like
this:
table inet filter {
chain forward {
type filter hook forward priority 0
policy drop
iifname_equals_oifname accept
}
}
As far as I know, the nftables filtering uses an in-kernel virtual
machine and rules are compiled into a program by the nft tool. Since
it's already possible to do comparisons with static strings, it occurred
to me it might be possible to instruct the VM to compare both interface
names with each other, implementing this feature without the need to do
any changes in the kernel.
Is it possible to implement something like this in nft? Provided the
solution is really as simple as I envisioned it.
Please CC me in replies, I am not on the list.
