[Bug 1305] Rules in first chain same hook ignored if second chain has policy drop
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Wed Jan 20 19:39:14 CET 2021
https://bugzilla.netfilter.org/show_bug.cgi?id=1305
--- Comment #9 from Brian Pond <brian at pondconsulting.net> ---
"Why do you want to have separate base chains if you do not want them to
independently drop a packet?"
Because I want my separate base chains to independently -accept- a packet.
Your workaround is practical. I'm doing the same thing in my production
environments today. By using a single base chain, plus jumps to non-base
chains, I can achieve the desired behavior. I want my nftables to Log and Drop
everything by default. Except for packets I have explicitly Safelisted.
However, the design could be even simpler. If I could create multiple Base
Chains, with different Priorities, I could avoid writing Jump statements
altogether:
* Base Chain #1, Priority 0 = Accept Some Things.
* Base Chain #2, Priority 10 = Accept Some Things.
* Base Chain #3, Priority 20 = Accept Some Things.
* Base Chain #4, Priority 30 = Log and Drop Everything Else.
In this way, a packet flows linearly through the rules based on chain priority.
Until it's either Accepted or Dropped. First match wins. I wouldn't need to
code Jumps at all.
Currently this is impossible, because that final Drop in Base #4 overrules the
previous 3 chain's decisions.
And Priority is left without any real purpose. I'm practically limited to 1
base chain per hook. Whether those chains are Priority 0 or 200, all that
actually matters is jumping around, until the packet encounters a Drop.
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20210120/0a5bf62b/attachment.html>
More information about the netfilter-buglog
mailing list