Hello
I have a question about the default behavior of nftables, when a certain program (unwanted) creates another chain (INPUT+OUTPUT)
with the input/output-hook. See examples below. 'INPUT' is created by the Programm, 'input' are my regular Rules. This is only a
test example. My concern is whether there may be a risk to my own rules in the upper chain default acceptance (Test 1).
Apparently it doesn't matter where I set the Policy=Drop when testing, in the upper (INPUT) or lower (input) ruleset, Drop
always works. But if the upper chain says "Policy=Accecpt" (Test 1) and the lower Drop, the Accept doesn't work. Are the rules
(and policy) in the lower input chain still respected, even if the policy in the upper one has already "accepted"?
Thank you, best Regards
Tom
Test 1:
-------
table ip filter {
chain INPUT {
type filter hook input priority 0; policy accept;
}
chain OUTPUT {
type filter hook output priority 0; policy accept;
}
chain input {
type filter hook input priority 0; policy drop;
}
chain output {
type filter hook output priority 0; policy drop;
}
}
Test 2:
-------
table ip filter {
chain INPUT {
type filter hook input priority 0; policy drop;
}
chain OUTPUT {
type filter hook output priority 0; policy drop;
}
chain input {
type filter hook input priority 0; policy accept;
}
chain output {
type filter hook output priority 0; policy accept;
}
}
