On 05/02/2020 11:21, Florian Westphal wrote:
ѽ҉ᶬḳ℠ <vtol@xxxxxxx> wrote:
Having deployed family tables:
* inet
* ip
* ip6
and to my understanding the _base chain definitions_, hook priority and
policy, are only applicable to chains within the same family table but are
mutually exclusive between the different family tables I am struggling to
comprehend as to the order of packet processing among the aforementioned
family tables:
* which family table the packet is processed trough first/last - inet or ip
| ip6?
None. Ordering is by prio, not by family.
In ip vs ip6 case its even irrelevant because an ipv4 packet will never
travel any of the ip6 base chains, ever (and vice versa).
That was clear, it was meant inet <> ip or inet <> ip6
* if the hook priority in the base chains of each family is the same but
different policies being applied how would such conflict, inet vs. ip | ip6,
resolve?
Implementation defined, right now its 'last added'.
Does that pertain to table handle value?
Does a lower handle value mean that the packet is first seen by that table?
Noticed from the WIKI that rules can be positioned - does that work for
table as well, e.g.
* table inet filter position X
* table inet filter { position X
throwing an error.
But result is the same, if verdict is "drop", packet is discarded and
evaluation ends.
Just like with iptables: if you drop in mangle input, filter table won't
even get a chance to see the packet.
As far as I comprehend jump | goto works with chains in the same family
table but it is not possible to jump | goto from the inet table to ip | ip6
or vice versa, or is it?
Its not, each table is a distinct entity.
The question was with same chain/hook priority in inet versus ip | ipv6
but a different verdict and how would such conclict resolve, e.g.
* inet chain input prio 0 policy drop
* ip chain input prio 0 policy drop
* ip6 chain input prio 0 policy continue
?