On Wed, Jan 09, 2019 at 12:44:19AM +0100, Mikhail Morfikov wrote:
> When I create the base chains I use something like
> the following:
>
> create chain ip mangle PREROUTING { type filter hook prerouting priority -150; policy accept; }
>
> I set the priority via _priority -150_ , but when I'm listing rules, I get this:
>
> table inet filter {
> chain INPUT {
> type filter hook input _priority filter_; policy drop;
> ...
> chain FORWARD {
> type filter hook forward _priority filter_; policy drop;
> ...
> chain OUTPUT {
> type filter hook output _priority filter_; policy accept;
> ...
> table ip mangle {
> chain PREROUTING {
> type filter hook prerouting _priority mangle_; policy accept;
> ...
> chain INPUT {
> type filter hook input _priority mangle_; policy accept;
> ...
> table ip raw-set {
> chain PREROUTING {
> type filter hook prerouting _priority raw - 1_; policy accept;
> ...
> chain OUTPUT {
> type filter hook output _priority raw - 1_; policy accept;
> ...
>
> Shouldn't be there normal numbers like the ones used
> when creating the rules?
You can retrieve normal priority numbers if you prefer via:
# nft list ruleset -n
By default, we decided to place the priority tag +/- offset, so users
do not need to remember magic numbers.
