Nftables "Error: Interface does not exist" after reboot

Question

at using nftables on a new virtual machine (Debian 10) I installed and configured nftables as automatic service (systemd). I use also LXC and use an additional interface (lxcbr0).

I recognized the problem that the nftables service does not start successfully after reboot. The error: /etc/nftables.conf:56:32-39: Error: Interface does not exist

It seems that the interface get only up after the nftables service startup: Startup date of nftables (log output):

Apr 05 11:41:23 WEB01 systemd[1]: Starting nftables...

Startup date of the interface:

Apr 05 11:41:25 WEB01 ifup[397]: Waiting for lxcbr0 to get ready

--> 2 second delay between the startups

Is there a general solution for this or a common work around? On the wiki of nftables I did not find something like that.

Thanks in advance

Answer 1

The easiest is to change your rules in nftables like this:

• replace all occurences of iif lxcbr0 with iifname lxcbr0
• replace all occurences of oif lxcbr0 with oifname lxcbr0
• there are equivalent replacements for sets, I could write something about it if the ruleset was given.

The reason for this is that iif and oif expect an interface index rather than an interface name. For this, the interface must have been created before the rule referencing it. iifname and oifname check if current interfaces have one with a matching name.

More explanations about this in this other Q/A.

Other methods would require the synchronization with the creation of the interface: after the interface was created but before it goes up to avoid any window where there's no firewall/NAT. This would likely depend on the network manager in use.