Hi.
You don't need multiple base-chain with different priorities.
You iptables ruleset adoptation will be look like:
table inet filter {
chain forward {
type filter hook forward priority 0; policy drop;
jump test # handle 6
}
chain test {
ip protocol icmp counter packets 0 bytes 0 accept # handle 5
}
}
On 18 April 2018 at 21:44, <matt-nft@xxxxxxx> wrote:
> Good day,
> I'm trying setup multiple forward chains and can't get it to work.
> This is a simple setup to compare how it could look in iptables.
>
> iptables -F
> iptables -X
> iptables -P FORWARD DROP
> iptables -N TEST
> iptables -A TEST -p icmp -j ACCEPT
> iptables -A FORWARD -j TEST
>
> I was trying this (icmp is getting accepted due to higher priority?)
>
> table ip filter {
> chain forward_accept {
> type filter hook forward priority -10; policy accept;
> ip protocol icmp counter accept
> }
> }
> table ip filter {
> chain forward_drop {
> type filter hook forward priority 10; policy drop;
> counter comment "count dropped packets"
> }
> }
>
>
> Any idea whats the best way to get there?
>
> THX Matt
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html
--
Anton.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at http://vger.kernel.org/majordomo-info.html
