ACL entries do not have any effect on bridge loopback (BVI) interfaces¶
This is expected behavior when traffic is forwarded between interfaces on the same bridge, as packets can never arrive on the loopback interface in this scenario. ACLs must be applied to the hardware interfaces if the packets only travel within a bridge.
See also
Some Traffic to the host OS management interface is dropped¶
TNSR includes a default set of Netfilter rules which secure the management interface. Only certain ports are allowed by default. See Default Allowed Traffic for details. To allow more traffic, create host ACLs as described in Host ACLs.
To view the current Netfilter rules from within the TNSR CLI, use:
tnsr# show host ruleset
To view the current Netfilter rules from a shell prompt, use:
$ sudo nft list table inet tnsr_filter
The Netfilter service can also be controlled through the shell if necessary when
troubleshooting host OS connectivity by using the nftables service in
systemd:
To stop the Netfilter service:
$ sudo service nftables stop
To start the Netfilter service:
$ sudo service nftables start