On 1/22/19 11:47 AM, Philipp Richter wrote: > Hello, > > I have a question concerning the priority of chains as described here > https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority > > If a lower priority chain accepts a packet it will still traverse the > later priority chains. I wanted to cleanly separate tables for docker > and/or libvirt, so packets that are accepted by those special lower > priority tables shouldn't be reevaluated by the main chains. > Is there a good way to achieve such clean separation using different > tables ? One way I'd see is maybe marking the accepted packets and > adding rules to the top of the chains that match that mark and accept > those packets. But this looks like making this more complex than it > needs to be if I can achieve the same thing by having the docker, > libvirt chains in the main table (which is the case right now). > Is there any better way ? > You could try using different hooks, i.e, prerouting/filter and forward/filter. If you drop a packet in prerouting/filter it won't show up again in forward/filter. table ip t { chain p { type filter hook prerouting priority 0; policy accept; } chain f { type filter hook forward priority 0; policy accept; } }
