[Bug 1305] Rules in first chain same hook ignored if second chain has policy drop
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Sun Jul 14 11:12:55 CEST 2019
https://bugzilla.netfilter.org/show_bug.cgi?id=1305
Florian Westphal <fw at strlen.de> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fw at strlen.de
--- Comment #1 from Florian Westphal <fw at strlen.de> ---
(In reply to keithwilliamsnp from comment #0)
> Debian Stretch, nft version 0.9.0-1 kernel 4.9.0-8-amd64
>
> Am finding behaviour in added chains a bit different to that expected from
> reading all the documentation.
>
> I have chain
>
> input {type filter hook input priority 0; policy drop;}
>
> This carried most of the firewall rules. I then added another
> chain
>
> testpr {type filter hook input priority -1;}
>
> I cut and pasted the rule to accept ftp from the input chain (where it had
> been working) into the testpr chain.
> ftp was blocked. The packets should have traversed testpr first, been
> accepted before, if necessary entering input chain. This was obviously not
> happening.
Yes, this is the same as e.g. accepting in iptables mangle table input chain --
the packet will continue to filter table input.
I'll leave this open for now, any suggestion on where to place this in the
documentation?
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20190714/483dd1d3/attachment.html>
More information about the netfilter-buglog
mailing list