[Bug 1305] Rules in first chain same hook ignored if second chain has policy drop

bugzilla-daemon at netfilter.org bugzilla-daemon at netfilter.org
Sun Feb 7 00:02:34 CET 2021


https://bugzilla.netfilter.org/show_bug.cgi?id=1305

--- Comment #16 from Frank Myhr <fmyhr at fhmtech.com> ---
@ Alexander.S: Thanks for that ref, it's a good read. I'm still unsure of
order/relationship between output and routing. Funny you should mention marking
packets/DNAT in output chain, I've never gotten that to work (admittedly tried
only with older kernels / iptables).

About the proposed quick-accept verdict: on further reflection, such a change
would seem to require a change to the way netfilter (not just nftables) works.
As Pablo writes in the login article that Alexander.S linked, conntrack
registers callbacks to the same netfilter hooks that nftables and iptables do.
(Maybe there are additional facilities that register yet more callbacks to
these hooks?) Netfilter's general hook-and-callback system means that even if
from the point of view of your nft ruleset that *firewall* operations are
finished for a given netfilter hook, and you'd like to quick-accept, there
might be conntrack or other callbacks registered to that hook that still need
to be performed. So netfilter's flexibility in allowing multiple systems to use
its hooks may come at the price of disallowing such quick-accept...? It seems
what would be needed is a filter-only quick-accept, while still running any
non-filter callbacks at that hook. Which sounds like it might be more trouble
than it's worth, when the same can be achieved with jumps within a single
filter callback.

-- 
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20210206/4507039e/attachment.html>


More information about the netfilter-buglog mailing list