> Its the same as with ebtables/iptables, if you accept in ebtables > INPUT you can still drop in iptables INPUT. > > You can keep the policy at drop, sure, but you'll need to add > accept rule(s) for the traffic you want to accept. Hmm, I see. So any traffic policies in the bridge family are ranking below policies of the inet family. Tell you the truth I had hoped that there was no not such ranking and everything belonging to the bridge could be tidied up there. Perhaps for someone having used ebt prior that would be the logical conclusion but for the less exposed it might be helpful to have this pointed in the wiki/man. Now though, having moved the rules from bridge to inet (and working then), it requires additional string 'meta iifname br*' in the inet family to condition the bridge family, which feels cumbersome when everything bridge could have been neatly stored/handled there. I am sure that a lot of thought by professional people has gone into that scheme just from a layman's perspective it does not seem logical. Also considering that policies from the netdev family are not superseded. Anyway, thank you very much indeed for the speedy input/assistance which helped to grasp some NFT basics. Exited to utilize now. Speed of atomic rule replacement is impressive and I like the the meter feature, among others. Keep up the good work please! -- To unsubscribe from this list: send the line "unsubscribe netfilter" in the body of a message to majordomo@xxxxxxxxxxxxxxx More majordomo info at http://vger.kernel.org/majordomo-info.html
