I'm trying to switch over from iptables based FW to nftables.
I have a basic ruleset
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0;
ip protocol icmp limit rate 10/second accept
ip protocol icmp drop
ip6 nexthdr icmpv6 limit rate 10/second accept
ip6 nexthdr icmpv6 drop
iif lo accept
ct state established,related accept
ct state invalid drop
tcp dport { 22 } ct state new accept
ip6 nexthdr icmpv6 icmpv6 type { nd-neighbor-solicit, nd-router-advert, nd-neighbor-advert } accept
counter drop
but it does not allow me to initiate VPN with a vpn provider (i'm the client, so I initiate the connection).
I suspect it has something to do with virtual interface ppp0 being given an int reference by the kernel when it is created - and - we don't know what that int will be until we instantiate vpn. Thus if we tell nftables about if ppp0 it will not know what to do with it nftables is instantiated before vpn - thus ppp0 will be null.
The same behavior is observed with openvpn, where a virtual interface 'tun0' is created by the kernel.
Any guidance would be really valuable.
Thank you