[Bug 1305] Rules in first chain same hook ignored if second chain has policy drop
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Wed Oct 7 22:11:15 CEST 2020
https://bugzilla.netfilter.org/show_bug.cgi?id=1305
Egbert S <s.egbert at sbcglobal.net> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |s.egbert at sbcglobal.net
--- Comment #5 from Egbert S <s.egbert at sbcglobal.net> ---
> I have following hooks:
>
> filter input prio 0
>
> nat prerouting prio -500
The priority values only works within the same hook. There are 6 hooks
(ingress, prerouting, input, forward, output, postrouting).
Local
process
^ | .-----------.
.-----------. | | | Routing |
| |-----> input / \---> | Decision |---->
output \
--> prerouting --->| Routing | .-----------.
\
| Decision |
--> postrouting
| |
/
| |---------------> forward
---------------------------
Don't forget to add 'ingress' before `prerouting` to the old chart above.
Ingress was added in Linux 4.2.
This is what I've gathered from the current Netfilter Wiki on nftables.
If many different chains exist within and only within that one `ingress` hook,
these chains ordered as each priority states, from lowest value (-500) to
highest value (+500) in terms of packet examination ordering.
If only just the two same-named chains but in different hooks (i.e., input,
forward) of different priority, priority settings don't matter.
Hook is the FIRST thing encountered when deciding the priority of chains within
each of the 6 hooks, next is within each chain that its rules' antecedence and
precedence are done in insertion order.
Your example is spread across two separate hooks (input & prerouting): so your
example of priority don't matter on this point.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20201007/cd782141/attachment.html>
More information about the netfilter-buglog
mailing list