Match interfaces by name so we can start nftables before they exist

diff --git a/cookbooks/networking/templates/default/nftables.conf.erb b/cookbooks/networking/templates/default/nftables.conf.erb
index a3dae7143d12bdf97ab4bda28ea83b0b45f836ee..8594cc24498a0a05b64f74ff027fb872cc77934a 100644 (file)
--- a/cookbooks/networking/templates/default/nftables.conf.erb
+++ b/cookbooks/networking/templates/default/nftables.conf.erb
@@ -112,7 +112,7 @@ table inet filter {
     type filter hook input priority filter;
 
 <%- unless @interfaces.empty? %>
-    iif { $external-interfaces } jump incoming
+    iifname { $external-interfaces } jump incoming
 <%- end %>
 
     accept
@@ -122,8 +122,8 @@ table inet filter {
     type filter hook forward priority filter;
 
 <%- unless @interfaces.empty? %>
-    iif { $external-interfaces } jump incoming
-    oif { $external-interfaces } jump outgoing
+    iifname { $external-interfaces } jump incoming
+    oifname { $external-interfaces } jump outgoing
 <%- end %>
 
     accept
@@ -133,7 +133,7 @@ table inet filter {
     type filter hook output priority filter;
 
 <%- unless @interfaces.empty? %>
-    oif { $external-interfaces } jump outgoing
+    oifname { $external-interfaces } jump outgoing
 <%- end %>
 
     accept
@@ -147,7 +147,7 @@ table ip nat {
 
 <%- node.interfaces(:role => :external, :family => :inet).each do |external| %>
 <%- node.interfaces(:role => :internal, :family => :inet).each do |internal| %>
-    oif { <%= external[:interface] %> } ip saddr { <%= internal[:network] %>/<%= internal[:prefix] %> } snat <%= external[:address] %>
+    oifname { <%= external[:interface] %> } ip saddr { <%= internal[:network] %>/<%= internal[:prefix] %> } snat <%= external[:address] %>
 <%- end %>
 <%- end %>
   }