Hello, I added more rules into nftables (/etc/nftables.conf), however my understanding is when server boots, all these rules are flushed and LXD applies its own.
Don’t ask why (please do if you are curious. Reason is: I do not want LXD to serve DHCP outside of LXD host, I have unusual setup for my use case), but here are the nftables rules. It has been a long evening but I think they work, I will test them next day again.
table bridge filter {
chain postrouting {
type filter hook postrouting priority 0;
oifname eno1 udp sport { 67, 68 } drop;
oifname eno1 udp dport { 67, 68 } drop;
}
}
Question: is it possible to add them with LXD Network ACLs? I mean, should I try?
I am aware I can disable ipv4.firewall
but those rules that LXD sets up do not bother me, I do not mind if LXD wants to keep them.
As a workaround, I could do # nft list rulset >> /etc/nftables.conf
and configure nftables service to restart on each boot, but this is not a correct solution.