[Bug 1305] Rules in first chain same hook ignored if second chain has policy drop
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Wed Jan 20 15:42:56 CET 2021
https://bugzilla.netfilter.org/show_bug.cgi?id=1305
Timo Weingärtner <timo at tiwe.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |timo at tiwe.de
--- Comment #8 from Timo Weingärtner <timo at tiwe.de> ---
You can have this quick-accept and delayed-drop behaviour if you create only
one base chain and branch off to other chains from there (the same worked with
classic iptables):
table inet filter {
chain forward {
type filter hook forward priority filter
ct state established accept
iifname "internal" accept
iifname "world" tcp dport ssh jump ssh-in
iifname "world" tcp dport https jump https-in
# this could be policy, but I like to make it explicit:
drop
}
chain ssh-in {
ip6 daddr 2001:db8::2a accept
ip6 daddr 2001:db8::539 accept
ip daddr 192.0.2.42 accept
}
chain https-in {
ip6 daddr 2001:db8::1267 accept
}
}
If you want to carry complex decisions made earlier to other base chains you
can use a mark.
Maybe I misunderstand your goal or use case? Why do you want to have separate
base chains if you do not want them to independently drop a packet?
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20210120/04e6f7db/attachment.html>
More information about the netfilter-buglog
mailing list