On 6/3/21 5:26 PM, F.Stoyan wrote:
nftables runs to early at system boot. At this time not all interfaces are available: # journalctl -b -3 --unit=systemd-networkd.service --unit=nftables.service --no-hostname -- Journal begins at Fri 2021-05-28 15:13:07 CEST, ends at Thu 2021-06-03 17:08:05 CEST. -- Jun 03 15:18:23 nft[414]: /etc/nftables.conf:12:21-31: Error: Interface does not exist Jun 03 15:18:23 nft[414]: define SSID-MEDIA = enp1s0f0.66 Jun 03 15:18:23 nft[414]: ^^^^^^^^^^^ Jun 03 15:18:23 nft[414]: /etc/nftables.conf:11:21-31: Error: Interface does not exist Jun 03 15:18:23 nft[414]: define SSID-LABOR = enp1s0f0.65 Jun 03 15:18:23 nft[414]: ^^^^^^^^^^^
I guess you are using interface index in your ruleset, rather than interface names. If you use interface name (i.e, iffname oifname etc) then the interface don't need to exist when loading the ruleset.
Loading the ruleset *before* the interfaces are up ensures that no network traffic bypass the firewall policy.
Is up to you to configure the systemd unit to load before/after the network.
