I am not sure if this is deliberate or an oversight, but it seems that
chains without a hook directive can not have a policy.
The decision of what to do if you fall off the end of a chain is not
hard to answer with an explicit directive, but in terms of a chain you
might want to flush and rebuild or whatever it's just sort of surprising.
Trivial example of discussion point:
table ip example {
chain expected_normal {
type filter hook forward priority 0; policy drop;
iif eth0 goto avoid_policy_if_flushed
iif eth1 goto ought_to_be_legal
}
chain avoid_policy_if_flushed {
drop
}
chain ought_to_be_legal {
policy drop; # not legal but should be IMHO
}
}
later # nft flush chain ip example avoid_policy_if_flushed
Now obviously using jump instead of goto makes this less of an issue, so
this isn't impossible, but if something/someone tangles up some logic
surprises could develop.
I haven't figured out of this limit is arbitrary code or if it's
inherent to how hooks work. So this is a request for discussion not a
feature request etc. email.
--Rob.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
