Hi all, I'm still studying a bit of nftables and got confused about priority value in chains. Manual says: priority refers to a number used to order the chains or to set them between some Netfilter operations. Possible values are: NF_IP_PRI_CONNTRACK_DEFRAG (-400), NF_IP_PRI_RAW (-300), NF_IP_PRI_SELINUX_FIRST (-225), NF_IP_PRI_CONNTRACK (-200), NF_IP_PRI_MANGLE (-150), NF_IP_PRI_NAT_DST (-100), NF_IP_PRI_FILTER (0), NF_IP_PRI_SECURITY (50), NF_IP_PRI_NAT_SRC (100), NF_IP_PRI_SELINUX_LAST (225), NF_IP_PRI_CONNTRACK_HELPER (300). So, if I use hook "prerouting" and priority -150, then I will be in "Prerouting Mangle" chain acc. to Netfiler packet flow. If I will use hook "prerouting" and priority -100, then I will be in "Prerouting NAT" chain and so on. All clear. But what will happen if I use hood "filter" and priority -150, for example? There is no chain "Filter Mangle" according to Netfilter packet flow. I'm quite sure that combination of hook "filter" and priority -150 will work, but does it have any sense? Can anyone please give more detailed information on this topic? Can I be a bit away of Netfilter packet flow by using different hood and priority combinations, or is it recommended to stay within official Netfilter packet flow? -- Best regards, Darius
Attachment:
signature.asc
Description: OpenPGP digital signature
