From a831d12291f40832bc3da4a927cbc31cae8e06eb Mon Sep 17 00:00:00 2001 From: sommerfeld Date: Wed, 13 May 2026 13:43:41 +0100 Subject: fix(nftables): use iifname/oifname for virbr0 so rules load before libvirtd nftables.service starts at boot before libvirtd creates the virbr0 NAT bridge. 'iif'/'oif' resolve to a kernel ifindex at rule-load time and fail with 'Interface does not exist' when virbr0 isn't up yet. 'iifname'/'oifname' do a string match per packet and tolerate a missing interface, so the ruleset loads cleanly at boot and starts matching once libvirtd brings virbr0 up. --- etc/nftables.conf | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/etc/nftables.conf b/etc/nftables.conf index 50bb842..f22150e 100644 --- a/etc/nftables.conf +++ b/etc/nftables.conf @@ -19,8 +19,8 @@ table inet filter { # libvirt manages its own forward/NAT chains but does NOT touch the input # chain, so without this rule guests get no IP (DHCP packets are dropped # before dnsmasq sees them). - iif "virbr0" udp dport { 53, 67 } accept comment "libvirt: DHCP+DNS from guests" - iif "virbr0" tcp dport 53 accept comment "libvirt: DNS over TCP from guests" + iifname "virbr0" udp dport { 53, 67 } accept comment "libvirt: DHCP+DNS from guests" + iifname "virbr0" tcp dport 53 accept comment "libvirt: DNS over TCP from guests" pkttype host limit rate 5/second counter reject with icmpx type admin-prohibited counter @@ -34,7 +34,9 @@ table inet filter { # nftables a packet must be accepted by ALL chains at that priority, so # our policy=drop would otherwise block all guest egress and return # traffic. Mirror libvirt's accepts here for the default NAT bridge. - iif "virbr0" accept comment "libvirt: guest egress" - oif "virbr0" ct state established,related accept comment "libvirt: guest return" + # Use iifname/oifname (string match) instead of iif/oif so the rules + # load before libvirtd has created virbr0 at boot. + iifname "virbr0" accept comment "libvirt: guest egress" + oifname "virbr0" ct state established,related accept comment "libvirt: guest return" } } -- cgit v1.3.1