Hi Frank, Thank you very much for your thorough explanation. It makes total sense to me. And yes, I've made a mistake in my question. I was referring to Netfilter packet flow https://en.wikipedia.org/wiki/Netfilter#/media/File:Netfilter-packet-flow.svg and my main concern was if it makes sense to have combination of chain/hook/priority which does not exist in Netfilter packet flow. For example, "filter" chain, "input" hook and NF_IP_PRI_NAT_DST(-100) priority. It does not makes sense to have DST NAT in input filter as routing decision is already done. I guess I was a bit confused with constant names assigned to priority values. But again, nft is replacement for netfilter and it works in slightly different way. that was maybe a bad idea to try to follow Netfilter packet flow diagram. Anyway, your explanation really answered my question. Best regards, Darius On 24.03.2020 13.20, Frank Myhr wrote: > Hi Darius, > > On 2020/03/23 15:48, darius wrote: >> Hi all, >> >> I'm still studying a bit of nftables and got confused about priority >> value in chains. Manual says: >> >> priority refers to a number used to order the chains or to set them >> between some Netfilter operations. Possible values are: >> NF_IP_PRI_CONNTRACK_DEFRAG (-400), NF_IP_PRI_RAW (-300), >> NF_IP_PRI_SELINUX_FIRST (-225), NF_IP_PRI_CONNTRACK (-200), >> NF_IP_PRI_MANGLE (-150), NF_IP_PRI_NAT_DST (-100), NF_IP_PRI_FILTER (0), >> NF_IP_PRI_SECURITY (50), NF_IP_PRI_NAT_SRC (100), NF_IP_PRI_SELINUX_LAST >> (225), NF_IP_PRI_CONNTRACK_HELPER (300). >> >> So, if I use hook "prerouting" and priority -150, then I will be in >> "Prerouting Mangle" chain acc. to Netfiler packet flow. If I will use >> hook "prerouting" and priority -100, then I will be in "Prerouting NAT" >> chain and so on. All clear. >> But what will happen if I use hood "filter" and priority -150, for >> example? There is no chain "Filter Mangle" according to Netfilter packet >> flow. I'm quite sure that combination of hook "filter" and priority -150 >> will work, but does it have any sense? > > Actually this will not work; there is no "filter" hook. > > Relevant wiki pages: > > https://wiki.nftables.org/wiki-nftables/index.php/Main_differences_with_iptables > > > https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains > > https://wiki.nftables.org/wiki-nftables/index.php/Quick_reference-nftables_in_10_minutes#Chains > > > https://wiki.nftables.org/wiki-nftables/index.php/Netfilter_hooks > * Good diagram of netfilter hooks for families ip, ip6 and inet: > prerouting, forward, input, output and postrouting > * arp family has only input & output hooks. > * netdev family has only ingress hook. > * bridge family has hooks: ??? > > As I understand it, the above hooks always exist, and are used by > connection tracking and routing. At each hook, nftables packet filtering > happens only if you hook a base chain there. The numerical priority you > assign your base chain affects the order in which netfilter operations > happen *on that hook only*. > > If you create 2 base chains: > > nft add chain ip some_table INPUT_NEG150 { type filter hook input > priority -150 \; } > > nft add chain ip some_other_table INPUT_0 { type filter hook input > priority 0 \; } > > then ipv4 packets at the input stage of processing will traverse chain > INPUT_NEG150 before they hit chain INPUT_0. If instead of -150 you'd > assigned priority -1 to INPUT_NEG150 this would still be true. The > absolute priority numbers do not matter, only their numerical order > within the same hook matters. If you have two base chains at same hook > with _same_ priority... I don't know what happens! Probably best to > avoid that. Even if deterministic, it would still be confusing to us > ugly bags of water (obscure Star Trek reference, sorry). > > Hope this helps (and that it's correct), > Frank
Attachment:
signature.asc
Description: OpenPGP digital signature
