To me the fwd, in and out chains look kinda useless since they use an accept policy. That means that accepting certain packets explicitly doesn’t have any effect. So is there a reason why they exist? That’s what they currently look like on arch linux with lxd 5.2: table inet lxd { chain …

[image] m1cha: correct me if I’m wrong, but the way I understand it, with the policy of lxd’s chains being accept, all the other rules don’t have any effect and we could just remove them without any change in behavior. That doesn’t mean that we should switch to drop, just that we can basically r…

Reasoning behind in/out/fwd netfilter rules

LXD

tomp (Thomas Parrott) June 26, 2022, 6:07pm 3

See discussion here for more detail

To actually drop traffic you can use our network acl feature.