tomp
October 20, 2022, 5:44pm
26
Here is @stgraber post about this
Yeah, I’m honestly not sure what’s the right thing to do here…
I’m not super optimistic about us putting workarounds in place to handle the compatibility xtables tooling. By definition this will cause issues as it’s trying to pretend that nft is xtables and so comes with the same issues around rule ordering…
I believe ufw was natively ported to nft recently so it may instead be better to see how we handle the rules generated by that version.
Cooperating properly with other native nft users an…
This is why we are hesitant to change the approach at the moment until we can see how other firewall systems approach coexistence when using native nftables (rather than just calling the iptables shim).
I had proposed something similar to your suggestion previously
@stgraber So for example LXD creates this:
table ip lxd {
chain in.lxdbr0 {
type filter hook input priority 0; policy accept;
iifname "lxdbr0" tcp dport 53 accept
iifname "lxdbr0" udp dport 53 accept
iifname "lxdbr0" udp dport 67 accept
}
chain out.lxdbr0 {
type filter hook output priority 0; policy accept;
oifname "lxdbr0" tcp sport 53 accept
oifname "lxdbr0" udp sport 53 accept
oifname "lxdbr0" udp sport 67 accept
}
chain fwd.lxdbr0 {
type filter hook forward priority…