[Bug 1305] Rules in first chain same hook ignored if second chain has policy drop
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Sat Feb 6 12:18:42 CET 2021
https://bugzilla.netfilter.org/show_bug.cgi?id=1305
Frank Myhr <fmyhr at fhmtech.com> changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |fmyhr at fhmtech.com
--- Comment #12 from Frank Myhr <fmyhr at fhmtech.com> ---
@Alexander S.: I think the packet flow diagram posted by Egbert S. is correct,
i.e. output hook comes *after* routing decision. As is also shown here:
https://commons.wikimedia.org/wiki/File:Netfilter-packet-flow.svg
As to Marco's proposal of quick-accept and delayed-drop statements: neat idea.
As pointed out, they would make hook priority more powerful than it currently
is. But as Brian points out, when using nftables only (no legacy iptables
stuff), then the same effect can be achieved with a single base chain (hook)
using multiple jump (or goto) statements. For this case, I wonder how the
computational efficiency of multiple jumps vs. multiple hooks compares? Maybe
the single base chain with multiple jumps is more efficient, if less elegant,
than multiple base chains?
In cases where legacy iptables stuff is in simultaneous use, I agree that the
proposed quick-accept / delayed-drop additions would make the combined policy
far less confusing than it currently is.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20210206/23c7eb9e/attachment.html>
More information about the netfilter-buglog
mailing list