nftables: allow podman bridges in input and forward chains
Rootful Podman containers (used by the Forgejo runner) use podman0 and podman-* bridges, which were being dropped by the default-deny firewall policy. This broke DNS resolution and internet access. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
parent
8b6029ca86
commit
a18db710c0
1 changed files with 7 additions and 11 deletions
|
|
@ -112,13 +112,10 @@ in
|
|||
iifname "lo" accept
|
||||
# LAN is trusted
|
||||
iifname "eth0" accept
|
||||
# Docker containers reaching host services (e.g. Profilarr → Radarr
|
||||
# on 10.0.0.1:7878). The forward chain already trusts docker bridges
|
||||
# for outbound; this is the matching INPUT rule for traffic landing
|
||||
# on the host's own LAN/bridge IPs from a container. The br-* glob
|
||||
# covers user-defined networks (the Forgejo runner creates one per
|
||||
# workflow), so it doesn't fall through to the default-deny policy.
|
||||
iifname { "docker0", "br-*" } accept
|
||||
# Container bridges reaching host services (e.g. Profilarr → Radarr
|
||||
# on 10.0.0.1:7878, Forgejo runner → AdGuard DNS). br-* covers
|
||||
# Docker user-defined networks, podman* covers Podman (rootful).
|
||||
iifname { "docker0", "br-*", "podman*" } accept
|
||||
# Phase 1: also trust the existing eero subnet on eno1 so SSH
|
||||
# and AdGuard DNS keep working during the transition.
|
||||
${legacyTrustRules}
|
||||
|
|
@ -134,10 +131,9 @@ in
|
|||
ct state invalid drop
|
||||
# LAN → anywhere
|
||||
iifname "eth0" accept
|
||||
# Docker containers → anywhere (needed for image pulls, LinuxGSM
|
||||
# bootstrap, Forgejo runner workflows, etc.). br-* matches the
|
||||
# user-defined bridges Docker creates for custom networks.
|
||||
iifname { "docker0", "br-*" } accept
|
||||
# Containers → anywhere (image pulls, Forgejo runner workflows,
|
||||
# etc.). br-* = Docker custom networks, podman* = Podman rootful.
|
||||
iifname { "docker0", "br-*", "podman*" } accept
|
||||
# WAN → any port-forward target (LAN host or docker container)
|
||||
iifname "eno1" ct status dnat accept
|
||||
}
|
||||
|
|
|
|||
Loading…
Add table
Add a link
Reference in a new issue