Hi! Suppose you have 2 basic chains for the same hook(e.g. filter input) where first chain has higher priority(executed first) than second. Currently it looks like that if packet is "accept"ed in the first chain second is still executed and can "drop" _already accepted_ packet. On the other hand "drop" prevents execution of furhter chains (i.e. an already dropped packet can't be accepted in lower-priority chain). My question is: are "accept" and "drop" terminal statements asymmetrical by design in nftables? If so this looks very strange to me and makes layered firewall configuration (e.g. lowest priority chain blocks everything and higher priority chains selectively open ports for specific services) much more cumbersome than needed. Or I just missing something obvious? Thx in advance! -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
