[Bug 1758] Design flaw in chain traversal
bugzilla-daemon at netfilter.org
bugzilla-daemon at netfilter.org
Mon Jul 15 14:14:35 CEST 2024
https://bugzilla.netfilter.org/show_bug.cgi?id=1758
marius at nuenneri.ch changed:
What |Removed |Added
----------------------------------------------------------------------------
CC| |marius at nuenneri.ch
--- Comment #2 from marius at nuenneri.ch ---
I also found this behaviour quite confusing.
Before I discovered this, I assumed there are two types of packet filters:
1. Exectute the statement on the first matching rule (like FreeBSD's ipfw)
2. Execute the statement on the last matching rule (like OpenBSD's pf).
Now I see that there is a third way
3. Execute a drop on the first matching rule, but an accept on the last
matching rule.
OpenBSD's pf actually solves this by having a `quick` keyword, which makes a
rule terminate the rule evaluation and execute the statement.[1]
IMHO this makes a lot of sense for type 2 and 3 packet filters.
This matches the "really accept" that Phil is talking about, but I don't
think people have requests to override it, and this has been the case in
OpenBSD for at least two decades.
I conclude that it would make sense to add the quick keyword to nftables.
[1] https://www.openbsd.org/faq/pf/filter.html
--
You are receiving this mail because:
You are watching all bug changes.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.netfilter.org/pipermail/netfilter-buglog/attachments/20240715/f4ee0cf2/attachment.html>
More information about the netfilter-buglog
mailing list