[pkg-netfilter-team] Bug#989431: nftables runs to early at system boot
Friedemann Stoyan
fstoyan at swapon.de
Thu Jun 3 18:37:55 BST 2021
On 3.06.21 17:49, Arturo Borrero Gonzalez wrote:
> On 6/3/21 5:26 PM, F.Stoyan wrote:
> >
> > nftables runs to early at system boot. At this time not all interfaces are available:
> >
> > # journalctl -b -3 --unit=systemd-networkd.service --unit=nftables.service --no-hostname
> > -- Journal begins at Fri 2021-05-28 15:13:07 CEST, ends at Thu 2021-06-03 17:08:05 CEST. --
> > Jun 03 15:18:23 nft[414]: /etc/nftables.conf:12:21-31: Error: Interface does not exist
> > Jun 03 15:18:23 nft[414]: define SSID-MEDIA = enp1s0f0.66
> > Jun 03 15:18:23 nft[414]: ^^^^^^^^^^^
> > Jun 03 15:18:23 nft[414]: /etc/nftables.conf:11:21-31: Error: Interface does not exist
> > Jun 03 15:18:23 nft[414]: define SSID-LABOR = enp1s0f0.65
> > Jun 03 15:18:23 nft[414]: ^^^^^^^^^^^
>
> I guess you are using interface index in your ruleset, rather than interface
Yes, indeed!
> names. If you use interface name (i.e, iffname oifname etc) then the
> interface don't need to exist when loading the ruleset.
>
> Loading the ruleset *before* the interfaces are up ensures that no network
> traffic bypass the firewall policy.
>
> Is up to you to configure the systemd unit to load before/after the network.
Thanks for the explanation. So everything is clear now. I think you can close
the bugreport.
Best regards
F. Stoyan
More information about the pkg-netfilter-team
mailing list