[pkg-netfilter-team] Bug#989431: nftables runs to early at system boot

Thu Jun 3 16:49:17 BST 2021

On 6/3/21 5:26 PM, F.Stoyan wrote:
> 
> nftables runs to early at system boot. At this time not all interfaces are available:
> 
> # journalctl -b -3 --unit=systemd-networkd.service --unit=nftables.service --no-hostname
> -- Journal begins at Fri 2021-05-28 15:13:07 CEST, ends at Thu 2021-06-03 17:08:05 CEST. --
> Jun 03 15:18:23 nft[414]: /etc/nftables.conf:12:21-31: Error: Interface does not exist
> Jun 03 15:18:23 nft[414]: define SSID-MEDIA = enp1s0f0.66
> Jun 03 15:18:23 nft[414]:                     ^^^^^^^^^^^
> Jun 03 15:18:23 nft[414]: /etc/nftables.conf:11:21-31: Error: Interface does not exist
> Jun 03 15:18:23 nft[414]: define SSID-LABOR = enp1s0f0.65
> Jun 03 15:18:23 nft[414]:                     ^^^^^^^^^^^

I guess you are using interface index in your ruleset, rather than interface 
names. If you use interface name (i.e, iffname oifname etc) then the interface 
don't need to exist when loading the ruleset.

Loading the ruleset *before* the interfaces are up ensures that no network 
traffic bypass the firewall policy.

Is up to you to configure the systemd unit to load before/after the network.