nftables: allow podman bridges in input and forward chains

Rootful Podman containers (used by the Forgejo runner) use podman0
and podman-* bridges, which were being dropped by the default-deny
firewall policy. This broke DNS resolution and internet access.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
This commit is contained in:
rope 2026-05-21 15:02:09 +01:00
parent 8b6029ca86
commit a18db710c0

View file

@ -112,13 +112,10 @@ in
iifname "lo" accept
# LAN is trusted
iifname "eth0" accept
# Docker containers reaching host services (e.g. Profilarr → Radarr
# on 10.0.0.1:7878). The forward chain already trusts docker bridges
# for outbound; this is the matching INPUT rule for traffic landing
# on the host's own LAN/bridge IPs from a container. The br-* glob
# covers user-defined networks (the Forgejo runner creates one per
# workflow), so it doesn't fall through to the default-deny policy.
iifname { "docker0", "br-*" } accept
# Container bridges reaching host services (e.g. Profilarr → Radarr
# on 10.0.0.1:7878, Forgejo runner → AdGuard DNS). br-* covers
# Docker user-defined networks, podman* covers Podman (rootful).
iifname { "docker0", "br-*", "podman*" } accept
# Phase 1: also trust the existing eero subnet on eno1 so SSH
# and AdGuard DNS keep working during the transition.
${legacyTrustRules}
@ -134,10 +131,9 @@ in
ct state invalid drop
# LAN → anywhere
iifname "eth0" accept
# Docker containers → anywhere (needed for image pulls, LinuxGSM
# bootstrap, Forgejo runner workflows, etc.). br-* matches the
# user-defined bridges Docker creates for custom networks.
iifname { "docker0", "br-*" } accept
# Containers → anywhere (image pulls, Forgejo runner workflows,
# etc.). br-* = Docker custom networks, podman* = Podman rootful.
iifname { "docker0", "br-*", "podman*" } accept
# WAN → any port-forward target (LAN host or docker container)
iifname "eno1" ct status dnat accept
}