On Thu, Feb 02, 2017 at 01:52:18PM +0100, Christoph Pleger wrote: > Hello, > > On 2017-01-11, I wrote: > > > The Wiki on https://wiki.nftables.org mentions two priorities > specifically available for NAT, -100 and 100. But of these two, the > wiki's example for NAT only uses the value 100 for the postrouting > chain. The prerouting chain has priority 0, and there is no difference > between SNAT and DNAT. > > > > When I look at the ipv4-nat example which is shipped together with my > nftables package, both chains use priority -150, though due to the Wiki, > that value is used for mangling. > > > > And when I look at some online-exmaples, they use 0 for prerouting and > postrouting. > > > > So, what are really the best values to use for priority in snat > prerouting and postrouting and dnat prerouting and postrouting? > > Does "No answer in three weeks" mean that nobody here knows how to use > these priority values for NAT chains? Though probably netfilter developers > are reading this list? Sorry, I overlooked this email. See nf_ip_hook_priorities: http://lxr.free-electrons.com/source/include/uapi/linux/netfilter_ipv4.h See nf_ip6_hook_priorities: http://lxr.free-electrons.com/source/include/uapi/linux/netfilter_ipv6.h Yes, I'm pointing to source code, I know I should not be doing this ;-) Probably we can add the 'default' label, so: add chain x y { type filter hook input priority default\; } In this case, default translates to 0. add chain x y { type nat hook prerouting priority default\; } In this case this would be -100. Then: add chain x y { type nat hook postrouting priority default\; } This results in priority 100. We would still need explicit labels though, eg. raw and security at least. These are special type of filter chains. Comments welcome. Thanks. -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
