dotfiles/etc/nftables.conf, branch master

dotfiles/etc/nftables.conf, branch master My linux config and rc files https://git.sommerfeld.dev/dotfiles/atom/etc/nftables.conf?h=master 2026-05-22T13:28:18Z fix(nftables): waydroid DHCP/DNS ingress, drop manual NAT table 2026-05-22T13:28:18Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-22T13:28:18Z urn:sha1:115c508c0ecfa4b255de854d433ba02eaf029b29 Mirror the libvirt pattern by accepting DHCP+DNS on waydroid0 so the Android container's DhcpClient can lease an IP from dnsmasq. Remove the manual ip nat MASQUERADE table: waydroid-container installs its own MASQUERADE rule via iptables-nft compat, so the explicit table is redundant (and was clobbering anything else in ip nat via the destroy table). fix(nftables): add MASQUERADE for waydroid0 2026-05-22T13:28:18Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-22T13:28:18Z urn:sha1:9e9781b7f5b70893acefd50817d8bfa233d7362a waydroid-container ships only the iptables-legacy code path for adding its POSTROUTING MASQUERADE; on a host with pure nftables the rule never lands and the Android container has no outbound NAT. Declare it explicitly in our nftables.conf for determinism. fix(net): keep waydroid0 out of bond0, allow it through nftables 2026-05-22T13:28:17Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-22T13:28:17Z urn:sha1:18277fc1ec921dfcfa61c0b2f0b40fb62cfa070f systemd-networkd's Type=ether matcher was enslaving waydroid0 into bond0 the moment 'waydroid session start' ran, taking down the host's default route. Mirror the libvirt/docker negation pattern. Also mirror the existing virbr0 forward accepts for waydroid0 so the Android container can actually reach the internet through MASQUERADE. fix(nftables): use iifname/oifname for virbr0 so rules load before libvirtd 2026-05-13T12:43:41Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-13T12:43:41Z urn:sha1:a831d12291f40832bc3da4a927cbc31cae8e06eb nftables.service starts at boot before libvirtd creates the virbr0 NAT bridge. 'iif'/'oif' resolve to a kernel ifindex at rule-load time and fail with 'Interface does not exist' when virbr0 isn't up yet. 'iifname'/'oifname' do a string match per packet and tolerate a missing interface, so the ruleset loads cleanly at boot and starts matching once libvirtd brings virbr0 up. fix(nftables): allow DHCP/DNS and forwarding for libvirt virbr0 2026-05-13T12:43:41Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-13T12:43:41Z urn:sha1:fa081c7a7dbe0ab3660f6f6d7860b5a815370c5d The host firewall has policy=drop on both input and forward chains. libvirt creates its own nftables table for virbr0 NAT, but: 1. It does not touch the input chain at all, so DHCP packets from guests (UDP/67) are dropped before reaching dnsmasq. Result: Windows guest stuck on 169.254.x APIPA forever. 2. Its forward-chain accepts have the same hook+priority as ours. In nftables, all chains at a hook+priority must accept (any drop wins), so our policy=drop would block guest egress and return traffic even though libvirt's chain explicitly accepts. Add minimal carve-outs for virbr0: DHCP+DNS in input, guest egress and return traffic in forward. refactor(nftables): minimize diff against upstream pristine 2026-05-13T12:43:36Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-13T12:43:36Z urn:sha1:fd06e5313c257648b10a56b9c4151d701fba7d43 The previous custom config rewrote the file to 4-space indentation, added an explicit accept-policy output chain, and expanded the icmp section into per-type whitelists. None of that changed observable behaviour vs the stock arch nftables.conf: * Stock already uses scoped `destroy table inet filter` (so podman and netavark tables survive a reload). * `meta l4proto { icmp, icmpv6 } accept` already covers NDP, MLD, PMTUD, and echo — the explicit per-type list was equivalent. * Without an output chain, outbound traffic is unfiltered, which is identical to `policy accept` on an explicit output chain. * DHCPv6 client (UDP/546) is only needed on networks that hand out DHCPv6 leases; my home/work LANs use SLAAC + RDNSS, and the rare DHCPv6 case can be added back in one line if it ever bites. The only laptop-specific deviation is dropping the `tcp dport ssh accept` line — no inbound SSH on a portable machine. Net diff against pristine is now a single deletion, which makes `just etc-upstream-diff` actually useful for spotting upstream ruleset improvements on package updates. feat(net): nftables laptop firewall 2026-05-13T12:43:22Z sommerfeld sommerfeld@sommerfeld.dev 2026-05-13T12:43:22Z urn:sha1:ac0654daf06a9d01fd264d96c00c8ab47b90cb73 Default-deny inbound, allow outbound. Scoped to 'inet filter' with 'destroy table' on reload so podman/netavark tables are preserved. - meta/base.txt: add nftables - systemd-units/system/base.txt: enable nftables.service - etc/nftables.conf: laptop ruleset (loopback, ct state, ICMP/ICMPv6 essentials, DHCPv6 client, default-drop input/forward, accept output) - etc/sysctl.d/99-sysctl.conf: rp_filter=2, no redirects, no source-route, log_martians - README.md: firewall section with reload caveat