[Bug 1305] Rules in first chain same hook ignored if second chain has policy drop

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Sun Jul 14 11:12:55 CEST 2019


Florian Westphal <fw at strlen.de> changed:

           What    |Removed                     |Added
                 CC|                            |fw at strlen.de

--- Comment #1 from Florian Westphal <fw at strlen.de> ---
(In reply to keithwilliamsnp from comment #0)
> Debian Stretch, nft version 0.9.0-1 kernel 4.9.0-8-amd64
> Am finding behaviour in added chains a bit different to that expected from
> reading all the documentation.
> I have chain 
> input {type filter hook input priority 0; policy drop;} 
> This carried most of the firewall rules. I then added another
> chain
> testpr {type filter hook input priority -1;}
> I cut and pasted the rule to accept ftp from the input chain (where it had
> been working) into the testpr chain. 
> ftp was blocked. The packets should have traversed testpr first, been
> accepted before, if necessary entering input chain. This was obviously not
> happening.

Yes, this is the same as e.g. accepting in iptables mangle table input chain --
the packet will continue to filter table input.

I'll leave this open for now, any suggestion on where to place this in the

You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190714/483dd1d3/attachment.html>

More information about the netfilter-buglog mailing list