On 2021/03/07 09:43, Simon Ruderich wrote:
I don't understand how the priority option actually works. The
documentation states that it "specifies the order in which chains
with the same *hook* value are traversed". However, from what I
understand it's not only relevant for the order of multiple
custom hooks but it also maps to the priority used for the
netfilter hooks inside the kernel (e.g. -300 which happens before
conntrack handling in the kernel). Please correct me if this is
wrong.
Assuming the above is more or less correct, I don't understand
why the old rules worked:
add chain nat prerouting { type nat hook prerouting priority 0; }
add chain nat postrouting { type nat hook postrouting priority 100; }
Isn't priority 0 "too late" as 0 is also used for filter? Or are
nat and filter types completely separate and the order is only
relevant for hooks of the same type? If so, why does postrouting
require priority 100 (shouldn't the kernel put prerouting before
postrouting automatically)? Or would any value greater than 0
also work as long as it's after postrouting? And why are dstnat
and srcnat set to -100 and 100?
Hi Simon,
Priority is only relevant _within a given hook_. So comparing priorities
of base chains hooked to prerouting and postrouting (as in your example
above) does not make sense. Please see:
https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority
https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks
Hope that clears things up for you.
Best Wishes,
Frank