Fw: Forward chains with different priorities

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 

Hi,
Thanks, I was just trying to adapt new advantages with NFT, thought about new ways to configure
my rulesets (organizing, grouping machines and ports, bind them to chains or tables etc).
 
With IPT there are many cutomized chains, they allow me to flush, delete or add records
without reloading the entire, heavy and large ruleset (>10K) 
But anyhow, the jump option look straight forward, similar to IPT.
 
Thanks for this.
Matt
 

Gesendet: Donnerstag, 19. April 2018 um 09:03 Uhr
Von: "Anton Danilov" <littlesmilingcloud@xxxxxxxxx>
An: matt-nft@xxxxxxx
Cc: netfilter@xxxxxxxxxxxxxxx
Betreff: Re: Forward chains with different priorities
Hi.
You don't need multiple base-chain with different priorities.
You iptables ruleset adoptation will be look like:

table inet filter {
chain forward {
type filter hook forward priority 0; policy drop;
jump test # handle 6
}

chain test {
ip protocol icmp counter packets 0 bytes 0 accept # handle 5
}
}





On 18 April 2018 at 21:44, <matt-nft@xxxxxxx> wrote:
> Good day,
> I'm trying setup multiple forward chains and can't get it to work.
> This is a simple setup to compare how it could look in iptables.
>
> iptables -F
> iptables -X
> iptables -P FORWARD DROP
> iptables -N TEST
> iptables -A TEST -p icmp -j ACCEPT
> iptables -A FORWARD -j TEST
>
> I was trying this (icmp is getting accepted due to higher priority?)
>
> table ip filter {
> chain forward_accept {
> type filter hook forward priority -10; policy accept;
> ip protocol icmp counter accept
> }
> }
> table ip filter {
> chain forward_drop {
> type filter hook forward priority 10; policy drop;
> counter comment "count dropped packets"
> }
> }
>
>
> Any idea whats the best way to get there?
>
> THX Matt
>
>
> --
> To unsubscribe from this list: send the line "unsubscribe netfilter" in
> the body of a message to majordomo@xxxxxxxxxxxxxxx
> More majordomo info at http://vger.kernel.org/majordomo-info.html



--
Anton.
--
To unsubscribe from this list: send the line "unsubscribe netfilter" in
the body of a message to majordomo@xxxxxxxxxxxxxxx
More majordomo info at  http://vger.kernel.org/majordomo-info.html
[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux