[Bug 1305] New: Rules in second chain same hook ignored if first chain has policy drop
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Sat Dec 1 12:15:27 CET 2018
https://bugzilla.netfilter.org/show_bug.cgi?id=1305
Bug ID: 1305
Summary: Rules in second chain same hook ignored if first chain
has policy drop
Product: nftables
Version: unspecified
Hardware: x86_64
OS: Debian GNU/Linux
Status: NEW
Severity: normal
Priority: P5
Component: nft
Assignee: pablo at netfilter.org
Reporter: keithwilliamsnp at gmail.com
Debian Stretch, nft version 0.9.0-1 kernel 4.9.0-8-amd64
Am finding behaviour in added chains a bit different to that expected from
reading all the documentation.
I have chain
input {type filter hook input priority 0; policy drop;}
This carried most of the firewall rules. I then added another
chain
testpr {type filter hook input priority -1;}
I cut and pasted the rule to accept ftp from the input chain (where it had been
working) into the testpr chain.
ftp was blocked. The packets should have traversed testpr first, been accepted
before, if necessary entering input chain. This was obviously not happening.
I tried swapping the priorities which, as expected, put the testpr chain after
the input chain and so caused the ftp packets to be dropped.
The only way I could get it to work was to change the input policy, but then,
of course, that gave a policy of accept so the testpr chain was irrelevant. As
any packet not specifically dropped would be accepted, defeating the purpose of
a firewall.
I had the same result after changing the testpr to a non-base chain.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20181201/0af11f9c/attachment.html>
More information about the netfilter-buglog
mailing list