How to translate iptables --physdev statements to nftables

Question

I'm trying to translate my iptables entries to native nftables. The problem I have is with physdev statements - I'm using some chains to classify traffic passing through linux bridge:

iptables -A FORWARD -m physdev --physdev-is-bridged -j bridgechain
iptables -A bridgechain -m physdev --physdev-in vnet0 --physdev-is-bridged -j vnet0-o
iptables -A brigdechain -m physdev --physdev-out vnet0 --physdev-is-bridged -j vnet0-i

How to properly implement this rules using native nft? iptables-translate gives only the following:

nft # -A FORWARD -m physdev --physdev-is-bridged -j brigdechain
nft # -A bridgechain -m physdev --physdev-in vnet0 --physdev-is-bridged -j vnet0-o
nft # -A bridgechain -m physdev --physdev-out vnet0 --physdev-is-bridged -j vnet0-i

Thanks for help in advance!

Answer 1

to my knowledge (I am not a nftables developer, the knowledge only comes from studying the netfilter wiki and extensive web search), there is no replacement for physdev-is-bridged. The netfilter wiki even considers physdev match deprecated (see https://wiki.nftables.org/wiki-nftables/index.php/Supported_features_compared_to_xtables)

In my setup I was able to work around this by comparing iifname and oifname with the same string, ie.

table inet filter {
  chain forward {
    iifname "br0" oifname "br0" accept
  }
}

This would be a replacement for

iptables -A FORWARD -m physdev --physdev-is-bridged -j ACCEPT

except it only applies to bridge "br0", unlike the iptables rule, which would apply to any bridge in the system. However, if your bridges are static, this workaround may be sufficient to you.

(On a side note, having physdev-is-bridged in upstream nft - and I believe the workaround listed above could be achieved without any kernel changes - would truly be nice for machines that create bridge interfaces on-demand. A need to deal with firewall rules for such bridges is a significant hindrance for my attempts to switch over to nftables)