mgrotke/linuxrouter
1
0
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

Added nftables DNS accept rules for container bridge interfaces

Browse source
This commit is contained in:
Matthew Grotke 2026-04-14 22:05:56 -04:00
parent 2d50a982b8
commit 82f3058577
1 changed files with 7 additions and 1 deletions
Download patch file Download diff file Expand all files Collapse all files

8
core.py
View file

@ -1710,6 +1710,7 @@ def build_nft_config(data, dry_run=False):
all_except = rule_enabled(data.get("inter_vlan_exceptions", [])) all_except = rule_enabled(data.get("inter_vlan_exceptions", []))
banned_v4, banned_v6 = banned_ip_sets(data) banned_v4, banned_v6 = banned_ip_sets(data)
container_bridges = get_container_bridges()
L = [] L = []
def line(s=""): def line(s=""):
@ -1817,6 +1818,12 @@ def build_nft_config(data, dry_run=False):
line(" udp dport 1812 drop") line(" udp dport 1812 drop")
line() line()
if container_bridges:
iface_set = ", ".join(f'"{b}"' for b in container_bridges)
line(" # Allow DNS from container bridge networks (Docker, Podman, etc.)")
line(f" iif {{ {iface_set} }} meta l4proto {{ tcp, udp }} th dport 53 accept")
line()
line(" # Allow all traffic inbound from any VLAN interface") line(" # Allow all traffic inbound from any VLAN interface")
for vlan in vlans: for vlan in vlans:
line(f" iif \"{vlan['interface']}\" accept # {vlan['name']}") line(f" iif \"{vlan['interface']}\" accept # {vlan['name']}")
@ -1853,7 +1860,6 @@ def build_nft_config(data, dry_run=False):
line(f" iif \"{vlan['interface']}\" oif \"{wan}\" accept # {vlan['name']} -> WAN") line(f" iif \"{vlan['interface']}\" oif \"{wan}\" accept # {vlan['name']} -> WAN")
line() line()
container_bridges = get_container_bridges()
if container_bridges: if container_bridges:
line(" # Allow VLAN -> Docker bridge forwarding") line(" # Allow VLAN -> Docker bridge forwarding")
for vlan in vlans: for vlan in vlans: