I am in a situation where i have multiple interfaces for multiple docker networks. All docker networks should be able to access the internet, so i currently have the following nftables snippet:
chain forward {
type filter hook forward priority 0; policy drop;
iifname docker0 ct state new accept comment "Accept forwards from docker0"
iifname dck-backend ct state new accept comment "Accept forwards from dck-backend"
}
Since both rules are very similar but the interface name, i want to merge them into one, if possible. I tried to create a set of interface names:
set docker_interfaces {
type ifname; flags interval;
elements = {
docker0,dck-backend
}
}
However, using the set in the rule with
iifname @docker_interfaces accept comment "Accept traffic from docker containers"
results in an error:
Okt 07 10:55:26 naugol nft[968969]: /etc/nftables.conf:40:5-11: Error: Byteorder mismatch: expected big endian, got host endian
Okt 07 10:55:26 naugol nft[968969]: iifname @docker_interfaces accept comment "Accept traffic from docker containers"
Okt 07 10:55:26 naugol nft[968969]: ^^^^^^^
Okt 07 10:55:26 naugol systemd[1]: nftables.service: Main process exited, code=exited, status=1/FAILURE
How can i specify more than one interface in a rule, or do i really need several similar rules for achieving this?
Best Answer
You might consider inlining like so:
In addition you can use
defineThe can also be done on the command line with proper escaping:
nft add rule ip filter forward iifname \{ "docker0", "dck-backend" \} ct state new accept comment "Accept forwards from docker interfaces"