config-nftables-anbox: fix rule to allow matching on future iface (2274) (MR 2274)

The old rule would result in nftables failing to load if the iface doesn't exist. Using `iifname` will match on any future ifaces if they don't exist when the firewall starts. (cherry picked from commit 2a1b69db)

config-nftables-anbox: fix rule to allow matching on future iface (2274) (MR 2274)
efa14c64 · Clayton Craft · a079db90 · efa14c64 · efa14c64
Unverified Commit efa14c64 authored 3 years ago by Clayton Craft
--- a/main/postmarketos-config-nftables/APKBUILD
+++ b/main/postmarketos-config-nftables/APKBUILD
 # Maintainer: Clayton Craft <clayton@craftyguy.net>
 pkgname=postmarketos-config-nftables
-pkgver=0.1
-pkgrel=1
+pkgver=0.2
+pkgrel=0
 pkgdesc="nftables firewall configuration for postmarketOS"
 url="https://gitlab.com/postmarketos"
 arch="noarch"
@@ -54,7 +54,7 @@ sha512sums="
 10b3ab4d1f98a669e88fb2113a3880c4bf410d68859fe6a3efe8d638e3060af4a829485aed8c8da226c7fb7a53bab1bc90a659cb8fad9ccd226d808dbba94caf  01_wwan.nft
 03ea8b54210e5c5627cfe26d50bc98355951ea81b9aa1a46dc4093b15b47b224ba1b2a95c5add65639478e47ca6e9d6f4ce4053a94622e832dc065f66d1fd6c8  10_dhcp.nft
 6b0d0c7c3368dde1ad61d26a0c2e13008f16d5bedaf11fa4a3511b49675505cbbdda8bf8ff158194846b197108f76bdfd66d40a2afb9f4d25c79b02acf5659b7  50_ssh.nft
-49d217a62b3bf2fb5555cf51db0bf0887d5a79722cffcd3b17fc85628ac26f3384e42ef28526746c754b071afa82fd13d02dd0876014d44fbfa20295a515060c  51_anbox.nft
+8322a8a5a5b1e98e1f44e2091b8b3a06db1e8309ebba5b8b6abe9d6fbb009dffb248af55e631f06f01bbced98b23c205462de73cd354b116dbaa7b6c72746bfd  51_anbox.nft
 0e86974602622c03f0b34acd048e3a31157c0226ab4b5ec093a19696af3fc9637ed84cecf0d190941e4bd3afeb0c76a37245fa850abef46778cd1235ad8106df  60_usb.nft
 1532899534d7432a7708620cf1053ab80635fffe038a2352eb890c35fba4247c3b9ab3d0b028da1be765e5feb9b5a5b3a8107f4aa79f790d17930d38535a2288  99_drop_log.nft
 "
--- a/main/postmarketos-config-nftables/rules/51_anbox.nft
+++ b/main/postmarketos-config-nftables/rules/51_anbox.nft
 #!/usr/sbin/nft -f
 table inet filter {
    chain input {
-        iif anbox0 accept comment "Allow incomming network traffic from Anbox"
+        iifname "anbox*" accept comment "Allow incoming network traffic from Anbox"
    }
    chain forward {
-        iif anbox0 accept comment "Allow outgoing network traffic from Anbox"
+        iifname "anbox*" accept comment "Allow outgoing network traffic from Anbox"
        ct state {established, related} counter accept comment "accept established connections"
    }
 }