How to create transparent/in-line/bridging firewall via nftables?

Question

I'm stuck at configuring nftables.

table bridge filter {
    chain input { type filter hook input priority -200; policy accept;}
    chain forward {
        type filter hook forward priority -200; policy drop;
        ip protocol icmp counter accept;
    }
    chain output { type filter hook output priority 200; policy accept;}

I have a couple of questions. Rule ip protocol icmp counter accept; does not work. Counter showing +1 packet in minute or so and ping not working. What I'm doing wrong?

score 0 · Answer 1 · answered May 10 '18 at 19:24

You have first to allow ARP resolution to work. Local IP resolution relies on ARP:

nft add rule bridge filter forward ether type arp accept

Else when trying to ping, arp resolution fails and you get something like this on a node trying to cross the bridge:

# ip neigh show eth0
192.168.1.7 dev eth0  FAILED

How to create transparent/in-line/bridging firewall via nftables?

1 Answers1