From 82f3058577b5c2b201bdc6ae09f5b826d5c251c1 Mon Sep 17 00:00:00 2001
From: Matthew Grotke <mgrotke@gmail.com>
Date: Tue, 14 Apr 2026 22:05:56 -0400
Subject: [PATCH] Added nftables DNS accept rules for container bridge
 interfaces

---
 core.py | 8 +++++++-
 1 file changed, 7 insertions(+), 1 deletion(-)

diff --git a/core.py b/core.py
index 82098df..5942086 100644
--- a/core.py
+++ b/core.py
@@ -1710,6 +1710,7 @@ def build_nft_config(data, dry_run=False):
 
     all_except = rule_enabled(data.get("inter_vlan_exceptions", []))
     banned_v4, banned_v6 = banned_ip_sets(data)
+    container_bridges = get_container_bridges()
 
     L = []
     def line(s=""):
@@ -1817,6 +1818,12 @@ def build_nft_config(data, dry_run=False):
         line("        udp dport 1812 drop")
         line()
 
+    if container_bridges:
+        iface_set = ", ".join(f'"{b}"' for b in container_bridges)
+        line("        # Allow DNS from container bridge networks (Docker, Podman, etc.)")
+        line(f"        iif {{ {iface_set} }} meta l4proto {{ tcp, udp }} th dport 53 accept")
+        line()
+
     line("        # Allow all traffic inbound from any VLAN interface")
     for vlan in vlans:
         line(f"        iif \"{vlan['interface']}\" accept  # {vlan['name']}")
@@ -1853,7 +1860,6 @@ def build_nft_config(data, dry_run=False):
         line(f"        iif \"{vlan['interface']}\" oif \"{wan}\" accept  # {vlan['name']} -> WAN")
     line()
 
-    container_bridges = get_container_bridges()
     if container_bridges:
         line("        # Allow VLAN -> Docker bridge forwarding")
         for vlan in vlans: