In iptables, "-i lo -j ACCEPT" was a pretty common basic rule.
In nftables, "iif lo accept" is the direct translation.
But! If the intent is "allow the host to talk to itself" isn't it
clearer to say "iiftype loopback"?
* I think the distinction is rarely important.
Am I right?
* Saying "iif foo" before "foo" exists will cause the ruleset to
atomically rollback, probably leaving you unprotected.
Can the ruleset load before the loopback interface exists?
Early boot these days is so parallelized that I'm scared!
Also, it seems like I want the ruleset to finish loading *before* I
start "upping" any interfaces. Otherwise there is a brief window
(like, <1s) each boot where the host is online without a firewall.
* Using "iifname lo" avoids that potential race, but
will stop matching if lo is renamed.
Is there a good reason to rename lo?
* Can you have multiple loopback interfaces at once?
Is there a good reason to do that?
Is there a bad reason to do that?
(i.e an attacker leveraging it to do Bad Things)
I think if the attacker has enough privileges to create or rename
interfaces, you're probably already screwed, so "who cares?"
