fix(nftables): use iifname/oifname for virbr0 so rules load before libvirtd

nftables.service starts at boot before libvirtd creates the virbr0 NAT
bridge. 'iif'/'oif' resolve to a kernel ifindex at rule-load time and
fail with 'Interface does not exist' when virbr0 isn't up yet.
'iifname'/'oifname' do a string match per packet and tolerate a missing
interface, so the ruleset loads cleanly at boot and starts matching
once libvirtd brings virbr0 up.

1 files changed, 6 insertions, 4 deletions

diff --git a/etc/nftables.conf b/etc/nftables.conf
index 50bb842..f22150e 100644
--- a/etc/nftables.conf
+++ b/etc/nftables.conf
@@ -19,8 +19,8 @@ table inet filter {
     # libvirt manages its own forward/NAT chains but does NOT touch the input
     # chain, so without this rule guests get no IP (DHCP packets are dropped
     # before dnsmasq sees them).
-    iif "virbr0" udp dport { 53, 67 } accept comment "libvirt: DHCP+DNS from guests"
-    iif "virbr0" tcp dport 53 accept comment "libvirt: DNS over TCP from guests"
+    iifname "virbr0" udp dport { 53, 67 } accept comment "libvirt: DHCP+DNS from guests"
+    iifname "virbr0" tcp dport 53 accept comment "libvirt: DNS over TCP from guests"
 
     pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited
     counter
@@ -34,7 +34,9 @@ table inet filter {
     # nftables a packet must be accepted by ALL chains at that priority, so
     # our policy=drop would otherwise block all guest egress and return
     # traffic. Mirror libvirt's accepts here for the default NAT bridge.
-    iif "virbr0" accept comment "libvirt: guest egress"
-    oif "virbr0" ct state established,related accept comment "libvirt: guest return"
+    # Use iifname/oifname (string match) instead of iif/oif so the rules
+    # load before libvirtd has created virbr0 at boot.
+    iifname "virbr0" accept comment "libvirt: guest egress"
+    oifname "virbr0" ct state established,related accept comment "libvirt: guest return"
   }
 }