<html>

    <head>

      <base href="https://bugzilla.netfilter.org/" />

    </head>

    <body><span class="vcard"><a class="email" href="mailto:s.egbert@sbcglobal.net" title="Egbert S <s.egbert@sbcglobal.net>"> <span class="fn">Egbert S</span></a>

</span> changed

              <a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Rules in first chain same hook ignored if second chain has policy drop"

   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1305">bug 1305</a>

          <br>

             <table border="1" cellspacing="0" cellpadding="8">

          <tr>

            <th>What</th>

            <th>Removed</th>

            <th>Added</th>

          </tr>

         <tr>

           <td style="text-align:right;">CC</td>

           <td>

           </td>

           <td>s.egbert@sbcglobal.net

           </td>

         </tr></table>

      <p>

        <div>

            <b><a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Rules in first chain same hook ignored if second chain has policy drop"

   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1305#c5">Comment # 5</a>

              on <a class="bz_bug_link 

          bz_status_NEW "

   title="NEW - Rules in first chain same hook ignored if second chain has policy drop"

   href="https://bugzilla.netfilter.org/show_bug.cgi?id=1305">bug 1305</a>

              from <span class="vcard"><a class="email" href="mailto:s.egbert@sbcglobal.net" title="Egbert S <s.egbert@sbcglobal.net>"> <span class="fn">Egbert S</span></a>

</span></b>

        <pre><span class="quote">> I have following hooks:

> 

> filter input prio 0

> 

> nat prerouting prio -500</span >

The priority values only works within the same hook.  There are 6 hooks

(ingress, prerouting, input, forward, output, postrouting).

                                             Local

                                            process

                                              ^  |      .-----------.

                   .-----------.              |  |      |  Routing  |

                   |           |-----> input /    \---> |  Decision |---->

output \

--> prerouting --->|  Routing  |                        .-----------.          

   \

                   | Decision  |                                               

     --> postrouting

                   |           |                                               

    /

                   |           |---------------> forward

--------------------------- 

Don't forget to add 'ingress' before `prerouting` to the old chart above.

Ingress was added in Linux 4.2.

This is what I've gathered from the current Netfilter Wiki on nftables.

If many different chains exist within and only within that one `ingress` hook,

these chains ordered as each priority states, from lowest value (-500) to

highest value (+500) in terms of packet examination ordering.

If only just the two same-named chains but in different hooks (i.e., input,

forward) of different priority, priority settings don't matter.

Hook is the FIRST thing encountered when deciding the priority of chains within

each of the 6 hooks, next is within each chain that its rules' antecedence and

precedence are done in insertion order.

Your example is spread across two separate hooks (input & prerouting): so your

example of priority don't matter on this point.</pre>

        </div>

      </p>

      <hr>

      <span>You are receiving this mail because:</span>

      <ul>

          <li>You are watching all bug changes.</li>

      </ul>

    </body>

</html>