@stgraber So for example LXD creates this:
table ip lxd {
chain in.lxdbr0 {
type filter hook input priority 0; policy accept;
iifname "lxdbr0" tcp dport 53 accept
iifname "lxdbr0" udp dport 53 accept
iifname "lxdbr0" udp dport 67 accept
}
chain out.lxdbr0 {
type filter hook output priority 0; policy accept;
oifname "lxdbr0" tcp sport 53 accept
oifname "lxdbr0" udp sport 53 accept
oifname "lxdbr0" udp sport 67 accept
}
chain fwd.lxdbr0 {
type filter hook forward priority 0; policy accept;
oifname "lxdbr0" accept
iifname "lxdbr0" accept
}
chain pstrt.lxdbr0 {
type nat hook postrouting priority 100; policy accept;
ip saddr 10.63.37.0/24 ip daddr != 10.63.37.0/24 masquerade
}
}
and UFW (via the iptables shim) creates this:
table ip filter {
chain INPUT {
type filter hook input priority 0; policy drop;
}
chain FORWARD {
type filter hook forward priority 0; policy drop;
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
}
We would need to add a rule to the filter table in the INPUT and FOWARD chains to jump into our own chains to stand a chance of the packets being allowed. However nftables doesn’t allow you to jump into a base chain (one that has a netfilter hook in it), and I’m not sure you can jump across tables either.
So to get compatibility with the iptables shim we’d need to add our custom chains to the filter table and then add rules to the INPUT and FOWARD chains to get our rules applied before the DROP policy kicks in.
This would only work with applications that use the filter table, and any other application that creates its own tables and sets up drop policies would cause the same problem again.