[Bug 1305] Rules in first chain same hook ignored if second chain has policy drop

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Sat Feb 6 12:18:42 CET 2021


Frank Myhr <fmyhr at fhmtech.com> changed:

           What    |Removed                     |Added
                 CC|                            |fmyhr at fhmtech.com

--- Comment #12 from Frank Myhr <fmyhr at fhmtech.com> ---
@Alexander S.: I think the packet flow diagram posted by Egbert S. is correct,
i.e. output hook comes *after* routing decision. As is also shown here:

As to Marco's proposal of quick-accept and delayed-drop statements: neat idea.
As pointed out, they would make hook priority more powerful than it currently
is. But as Brian points out, when using nftables only (no legacy iptables
stuff), then the same effect can be achieved with a single base chain (hook)
using multiple jump (or goto) statements. For this case, I wonder how the
computational efficiency of multiple jumps vs. multiple hooks compares? Maybe
the single base chain with multiple jumps is more efficient, if less elegant,
than multiple base chains?

In cases where legacy iptables stuff is in simultaneous use, I agree that the
proposed quick-accept / delayed-drop additions would make the combined policy
far less confusing than it currently is.

You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20210206/23c7eb9e/attachment.html>

More information about the netfilter-buglog mailing list