On Fri, Feb 21, 2025 at 04:02:25PM -0800, robinleepowell@xxxxxxxxx wrote: > So I, like many other people, have hit problems with nftables ordering, > as has been discussed on this mailing list MANY TIMES. > > This whole thing seemed ridiculous so I asked the nftables people about > what one is *supposed* to do in this situation. It turns out that the > standard solution is for libvirt's nftables rules to set a packet mark > (there's a collision possibility here but it's a 32 bit integer if you > pick one at random it shouldn't be a problem) and then the user adds a > rule to exclude packets with that mark from any reject rules they might > have, or explicitly accept marked packets in their own chains, or whatever. That's an interesting idea and worth a try. With regards, Daniel -- |: https://berrange.com -o- https://www.flickr.com/photos/dberrange :| |: https://libvirt.org -o- https://fstop138.berrange.com :| |: https://entangle-photo.org -o- https://www.instagram.com/dberrange :|
