Great, thanks for explanation. Now I have two chains OUTPUT with priority filter. One in the table raw and second in the table filter (currently both of them with policy accept). Is that correct? What is the order of evaluation? The order it appears in config file? Should not one of the priorities be changed to (filter + 1) or the rules moved to the filter table? Thanks Marek 2020-07-02 0:48 GMT+02:00, Florian Westphal <fw@xxxxxxxxx>: > Marek Greško <mgresko8@xxxxxxxxx> wrote: >> please is it a bug the rules did not work in the raw table or was it >> my configuration error? > > Config error. > >> How is it possible that using iptables-nft the rules are added to the >> raw table and it is working? > > iptables-nft and fntables are not the same. > -j CT works with 'connection tracking templates', > but the nft equivalent sets the helper directly. > > So, for iptables (and iptables-nft), the rule needs to be > executed before conntrack lookup. With nft it has to be done > after conntrack lookup. >
