Configuring nftables via API on container up or start

I’m using LXD in network routed mode (server act as router). Looks like it works more or less stable.
I see that on container start, LXD created an entry in firewall filter dynamically on container start i.e.:

table inet lxd {
	chain {
		type filter hook prerouting priority raw; policy accept;
		iif "veth32f4ba76" fib saddr . iif oif missing drop

To limit access to my containers, I’ve created forwarding rules in nftables:

	chain host_site1 {
		ip saddr @ALLOWED_ACCESS_WWW tcp dport 80 counter packets 12008 bytes 720480 accept

	chain forward {
		type filter hook forward priority filter; policy drop;
		ip protocol { tcp, udp } ip daddr jump host_site1
		ip protocol { icmp, tcp, udp } ip saddr @LXC_CONTAINERS counter packets 288 bytes 20374 accept

Is there a way to create such rules dynamically on container start.
For example, add rule on start ip protocol { tcp, udp } ip daddr jump host_site1 and remove it on container stop?

Thanks in advance.

At this time LXD ACL feature doesn’t work with routed NICs.

See also Network ACLs possible on routed devices?

1 Like