Re: [nftables v0.9.2 | kernel 4.19.93] MSS clamping rule possible in the inet family table?

[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

 



ѽ҉ᶬḳ℠ <vtol@xxxxxxx> wrote:
> Finally got it working in the inet table, seems being a matter of rule
> position (handle value),

The handle has nothing to do with the ordering though, the handle is
just a unique identifier.

> chain forward { # handle 2
>                 type filter hook forward priority filter; policy drop;
>                 ct state established,related accept # handle 19
>                 ct state invalid drop # handle 20
>                 oif "pppoe-wan" tcp flags syn tcp option maxseg size set
> 1300 # handle 21
>                 iif "br-lan" accept # handle 22
>                 oif "br-lan" accept # handle 23
>                 iif "br-mgt" accept # handle 24
>                 oif "br-mgt" accept # handle 25

iif { "br-lan", "br-mgt } accept
oif { "br-lan", "br-mgt } accept

or maybe
iifname "br-*"

saves two rules.

> but this does not
> 
> chain forward { # handle 2
>         type filter hook forward priority filter; policy drop;
>         ct state established,related accept # handle 19
>         ct state invalid drop # handle 20
>         iif "br-lan" accept # handle 21
>         oif "br-lan" accept # handle 22
>         iif "br-mgt" accept # handle 23
>         oif "br-mgt" accept # handle 24
>         oif "pppoe-wan" tcp flags syn tcp option maxseg size set 1300 #
> handle 25
>         log prefix "DROP_FW " level debug flags all counter packets 0 bytes
> 0 # handle 26
> 
> I someone could explain why I would be grateful because I do not comprehend
> the varying outcome. Is it because after egress/ingress traffic hitting
> handle 21/22 (bottom syntax) the packets are exiting the chain after been
> processed and not reaching handle 25 for processing?

Yes, this is no different than iptables, a verdict ends packet
evaluation in that base chain hook.

So, if packet came from "br-lan" forward chain evaluation ends with handle 21.



[Index of Archives]     [Linux Netfilter Development]     [Linux Kernel Networking Development]     [Netem]     [Berkeley Packet Filter]     [Linux Kernel Development]     [Advanced Routing & Traffice Control]     [Bugtraq]

  Powered by Linux