[Bug 1305] Rules in first chain same hook ignored if second chain has policy drop
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Thu Oct 15 15:00:08 CEST 2020
https://bugzilla.netfilter.org/show_bug.cgi?id=1305
Marcos de Oliveira <markinholiveira at gmail.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |markinholiveira at gmail.com
--- Comment #7 from Marcos de Oliveira <markinholiveira at gmail.com> ---
(In reply to Egbert S from comment #5)
> > I have following hooks:
> >
> > filter input prio 0
> >
> > nat prerouting prio -500
>
> The priority values only works within the same hook.
True, but that's not so useful, as later chains can't have a drop policy.
If you accept a packet in a chain, it will continue evaluating against other
chains of higher priority in the same hook. So if other chains have a policy of
drop, your accepted packet gona get dropped.
That's something hard to change, as it would break lots of users's
implementations. But, we could get new options added to implement better logic,
as I suggested in #1471.
As currently we have an "drop" verdict, which is applied immediately, and an
"accept", which continue evaluating in same hook against other chains's rules,
I suggested "quick-accept" which would act as current's drop and stop
evaluating other chains in current hook, and a "delayed-drop", which will drop
packet only at the end of current hook. This way, no user implementation would
break.
Apart from being two new verdicts, it could also be implemented as two keywords
instead (quick and delay), so you could use it interchangeably (delay accept,
quick drop, with proper policy actions).
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20201015/dc473610/attachment.html>
More information about the netfilter-buglog
mailing list