nftables meta mark for accepting forwarding packets

[CrimsonFez]

Hello,
I'm trying to build a linux based router that has podman for running basic containers. I'm running podman 5.0.1 with nftables support enabled in netavark for my testing. The issue I'm running into is I want to set my forward policy to drop. But this drops packets for podman. Here is a basic firewall rule I'm trying to implement,

table inet filter {
	chain forward {
		type filter hook forward priority 0; policy drop;
		iifname lan oifname wan accept;
	}
}

With this configured, packets are not forwarded out of my containers.

I'm thinking that if we have netavark mark packets, then I can configure my rules to allow them easily. For example,

table inet filter {
	chain forward {
		type filter hook forward priority 0; policy drop;
		iifname lan oifname wan accept;
		meta mark <netavark_mark> accept;
	}
}

Is this something that we can do? Do you guys have any suggestions as to how I can handle this without needing to add this feature to netavark?

Thanks in advance!

[robertgzr]

same issue here but for input. i currently don't see a way to have the default verdict set to drop without manually filtering out podman traffic again:

table inet filter {
	chain input {
		type filter hook input priority filter; policy drop;
                ip daddr 10.89.0.0/24 ct state established,related accept
                ip saddr 10.89.0.0/24 accept
                # my other rules here...
        }
}

[X-dark]

Hi,

I got it working adding iif podman0 accept but I am wondering as well if there is a better way (especially as interface podman0 is often not yet created when nft default rules are loaded).