Hi,
On all distributions I have checked, nftables.service (or its
non-systemd equivalent) is configured to start before the network is up
(Before=network-pre.target). At that point, not all interfaces have been
created.
This causes "nft -f /etc/nftables.conf" to fail when its configuration
contains a flowtable with interfaces that do not exist yet (e.g. VLANs
or bridges).
I have the following snippet where br0 is a bridge interface
and eno1.100 is a VLAN interface:
table inet filter {
flowtable f {
hook ingress priority filter
devices = { br0, eno1.100 }
}
chain forward {
type filter hook forward priority filter; policy accept;
ct state established,related flow add @f
}
}
When the specified devices are not present, the configuration fails with:
/etc/nftables.conf:77:26-33: Error: Could not process rule: No such file
or directory
devices = { br0, eno1.100 }
^^^^^^^^
As a workaround, I set up:
- a service that loads most of my nftables configuration, except the
flowtable devices, before network-pre.target
- another service that loads my entire nftables configuration, including
the flowtable, after network-is-online.target
Is there a better way? I considered keeping only the second service.
But, in that case, I might accidentally allow blocked traffic during the
time it takes for the service to start after network-is-online.target.
Are flowtables designed to only allow existing devices? Could something
be changed in nftables/Netfilter to lift this restriction?
I'm not subscribed to this list, can you please CC me in replies?
Kind regards,
Louis Sautier
