On Sun, Mar 07, 2021 at 10:02:52AM -0500, Frank Myhr wrote: > Hi Simon, > > Priority is only relevant _within a given hook_. So comparing priorities of > base chains hooked to prerouting and postrouting (as in your example above) > does not make sense. Please see: > > https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority > https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks Hello Frank, thank you. This helped, somewhat. The image https://people.netfilter.org/pablo/nf-hooks.png in the wiki lists netfilter hooks. Do these correspond to nftables hooks? So all prerouting hooks (type nat, type filter, etc.) for IP are applied to the green "Prerouting Hook" in the IP part of the diagram? And the "Netfilter Internal Priority" applies only within such a hook to order them? If this is correct this leads me to three questions: Why is there a global order of netfilter hooks (via the priority, -450 to INT_MAX)? Wouldn't it also work to set for example NF_IP_PRI_NAT_SRC to -400 because it only applies in postrouting anyway? Or is it designed that way to "hint" at the packet flow (lower numbers first, independent of the actual hooks)? For type nat and hook prerouting priorities like -100, 0 and 500 would all work because we have no other hooks in that range. However, using priority -250 would be problematic because it puts it before the netfilter connection tracking? What exactly is the difference between the chain types? Is it relevant for netfilter or is it only for nftables so it knows which rules to expect in the given chain? Regards Simon -- + privacy is necessary + using gnupg http://gnupg.org + public key id: 0x92FEFDB7E44C32F9
Attachment:
signature.asc
Description: PGP signature
