Am 04.10.19 um 16:28 schrieb Jags:
>> not sure about nftables but with iptables i would just place the drop
>> stuff for 123.0.0.0/8 in -t raw PREROUTING because it's before conntrack
>> and consider place it in a ipset for the case the list becomes longer
>> because then you have only one rule and a lightning fast hash-lookup no
>> matter how much entries
>
>
> Yes, I noticed CPU spikes, and removed drop/reject rules immediately. Thought I would re-enable these rules only when I run a torrent client.
>
> So should I just add a new table "raw" (and place this table at the top):
>
> xxxxxxxxx
> table inet raw {
> chain prerouting {
> type filter hook prerouting priority 0; policy accept;
> ip saddr 123.0.0.0/8 counter drop
> }
> chain output {
> type filter hook output priority 0; policy accept;
> ip daddr 123.0.0.0/8 counter reject
> }
> xxxxxxxxx
>
>
> Now do I need POSTROUTING chain in there too?
>
> From Gentoo wiki for Nftables: https://wiki.gentoo.org/wiki/Nftables#Tables
>
> "postrouting: This hook comes after the routing decision has been made, all packets leaving the machine hit this hook"
you don't need chains where you don't place rules
disclaimer: i use iptables and plan to switch to iptables-nft over the
long, so nftables may have sbtle different behavior
however, it turned out to have way better performance for a big firewall
setup place as much as possible in "-t mangle PREROUTING" (ct state
invalid) and "-t raw PREROUTING" because less processing of packets
not sure if "table inet raw" hast the same semantic (before conntrack,
before routing)" but if it can have a postrouting hook i doubt because
that's not possible for "-t raw" in iptables given that in this table
there is no routing decision possible
look at the image to get a picture, i can't help with nfstables itself
https://stuffphilwrites.com/wp-content/uploads/2014/09/FW-IDS-iptables-Flowchart-v2019-04-30-1.png
