[Bug 1305] Rules in first chain same hook ignored if second chain has policy drop

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Wed Jan 20 19:39:14 CET 2021


https://bugzilla.netfilter.org/show_bug.cgi?id=1305

--- Comment #9 from Brian Pond <brian at pondconsulting.net> ---
"Why do you want to have separate base chains if you do not want them to
independently drop a packet?"

Because I want my separate base chains to independently -accept- a packet.

Your workaround is practical.  I'm doing the same thing in my production
environments today.  By using a single base chain, plus jumps to non-base
chains, I can achieve the desired behavior.  I want my nftables to Log and Drop
everything by default.  Except for packets I have explicitly Safelisted.

However, the design could be even simpler.  If I could create multiple Base
Chains, with different Priorities, I could avoid writing Jump statements
altogether:

* Base Chain #1, Priority 0 = Accept Some Things.
* Base Chain #2, Priority 10 = Accept Some Things.
* Base Chain #3, Priority 20 = Accept Some Things.
* Base Chain #4, Priority 30 = Log and Drop Everything Else.

In this way, a packet flows linearly through the rules based on chain priority.
 Until it's either Accepted or Dropped.  First match wins.  I wouldn't need to
code Jumps at all.

Currently this is impossible, because that final Drop in Base #4 overrules the
previous 3 chain's decisions.  

And Priority is left without any real purpose.  I'm practically limited to 1
base chain per hook.  Whether those chains are Priority 0 or 200, all that
actually matters is jumping around, until the packet encounters a Drop.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20210120/0a5bf62b/attachment.html>


More information about the netfilter-buglog mailing list