On 21 November 2017 at 18:09, Florian Westphal <fw@xxxxxxxxx> wrote: > > Yes, thats expected. > First ssh base chain gets invoked, which accepts any packet > either by verdict or policy. > > Then next base chain gets consulted which drops the packet. > > I would suggest to either swap the policies or duplicate the ssh > rule into the input chain too. This is something which is actually confusing our users. I just took the time to extend a bit the documentation: https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains Of course, feel free to edit the docs :-) -- To unsubscribe from this list: send the line "unsubscribe netfilter-devel" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
