Add more nftables rules for LXD

LXD
1

Hello, I added more rules into nftables (/etc/nftables.conf), however my understanding is when server boots, all these rules are flushed and LXD applies its own.

Don’t ask why (please do if you are curious. Reason is: I do not want LXD to serve DHCP outside of LXD host, I have unusual setup for my use case), but here are the nftables rules. It has been a long evening but I think they work, I will test them next day again.

table bridge filter {
        chain postrouting {
            type filter hook postrouting priority 0;
               oifname eno1 udp sport { 67, 68 } drop;
               oifname eno1 udp dport { 67, 68 } drop;
        }
}

Question: is it possible to add them with LXD Network ACLs? I mean, should I try?

I am aware I can disable ipv4.firewall but those rules that LXD sets up do not bother me, I do not mind if LXD wants to keep them.

As a workaround, I could do # nft list rulset >> /etc/nftables.conf and configure nftables service to restart on each boot, but this is not a correct solution.

2

Actually you may ignore this. I have just noticed that nftables service was disabled. Enabled the service, rebooted the host, ran sudo nft list rulset and can confirm that both, LXD ruleset and my own are present.

LXD rules will disappear if I restart nftables service, but what is more important that all the firewall rules will be automatically present after host is rebooted, and no hacks necessary for this.

Solution for my use case: enable nftables service.

1 Like