<html>
<head>
<base href="https://bugzilla.netfilter.org/">
</head>
<body><span class="vcard"><a class="email" href="mailto:phil@nwl.cc" title="Phil Sutter <phil@nwl.cc>"> <span class="fn">Phil Sutter</span></a>
</span> changed
<a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED WONTFIX - Design flaw in chain traversal"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1758">bug 1758</a>
<br>
<table border="1" cellspacing="0" cellpadding="8">
<tr>
<th>What</th>
<th>Removed</th>
<th>Added</th>
</tr>
<tr>
<td style="text-align:right;">Status</td>
<td>NEW
</td>
<td>RESOLVED
</td>
</tr>
<tr>
<td style="text-align:right;">CC</td>
<td>
</td>
<td>phil@nwl.cc
</td>
</tr>
<tr>
<td style="text-align:right;">Resolution</td>
<td>---
</td>
<td>WONTFIX
</td>
</tr></table>
<p>
<div>
<b><a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED WONTFIX - Design flaw in chain traversal"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1758#c1">Comment # 1</a>
on <a class="bz_bug_link
bz_status_RESOLVED bz_closed"
title="RESOLVED WONTFIX - Design flaw in chain traversal"
href="https://bugzilla.netfilter.org/show_bug.cgi?id=1758">bug 1758</a>
from <span class="vcard"><a class="email" href="mailto:phil@nwl.cc" title="Phil Sutter <phil@nwl.cc>"> <span class="fn">Phil Sutter</span></a>
</span></b>
<pre>Hi,
Please note that iptables works exactly the same way, you just don't have the
flexibility to add arbitrary base chains.
Take security table for instance: A drop rule in its INPUT chain can't be
overridden from filter table, no matter what. Vice-versa: An accept rule in
security table's INPUT chain will not see any packet if filter table's INPUT
chain dropped them already.
All this is hard to change: Nobody would expect a packet to no longer appear in
filter's INPUT chain after mangle's PREROUTING chain had an ACCEPT verdict for
it.
You're free to design the basic ruleset layout of base and non-base chains in
nftables. But you also have to define (and enforce) the rules of how different
actors add their ruleset snippets to it. A simpler way may be to use a
coordinating daemon such as firewalld.
The "major design flaw" is expecting nftables to implement coordination between
concurrent users because its design supports them in the first place. We've
discussed this misunderstanding pretty extensively at netfilter workshops in
the past and haven't even found a feasible way to please users falling for
this, let alone compatibility to existing rulesets.
The substantial problem with the suggested "proceed" verdict is that one has to
change the "accept" one which is not compatible. The alternative of
implementing a "really accept" is flawed in that it will only lead to requests
for support of overriding it and thus back to square one.
We may continue discussing why things are the way they are, but please don't
expect this to change.
Cheers, Phil</pre>
</div>
</p>
<hr>
<span>You are receiving this mail because:</span>
<ul>
<li>You are watching all bug changes.</li>
</ul>
</body>
</html>