Trent W. Buck <trentbuck@xxxxxxxxx> wrote: > In iptables, "-i lo -j ACCEPT" was a pretty common basic rule. > In nftables, "iif lo accept" is the direct translation. 'meta iifname lo' would be the direct translation, iptables always compares the name. > But! If the intent is "allow the host to talk to itself" isn't it > clearer to say "iiftype loopback"? > > * I think the distinction is rarely important. > Am I right? makes no difference in practice. > * Saying "iif foo" before "foo" exists will cause the ruleset to > atomically rollback, probably leaving you unprotected. > > Can the ruleset load before the loopback interface exists? No, loopback is the first netdevice allocated. > Also, it seems like I want the ruleset to finish loading *before* I > start "upping" any interfaces. Otherwise there is a brief window > (like, <1s) each boot where the host is online without a firewall. > > * Using "iifname lo" avoids that potential race, but > will stop matching if lo is renamed. Same as iptables -i lo. > Is there a good reason to rename lo? Not that I know of. > * Can you have multiple loopback interfaces at once? > > Is there a good reason to do that? > Is there a bad reason to do that? > (i.e an attacker leveraging it to do Bad Things) > > I think if the attacker has enough privileges to create or rename > interfaces, you're probably already screwed, so "who cares?" Exactly.
