On Thu, Jul 02, 2020 at 09:33:41PM +0200, Marek Greško wrote: > Great, thanks for explanation. > > Now I have two chains OUTPUT with priority filter. One in the table > raw and second in the table filter (currently both of them with policy > accept). Is that correct? What is the order of evaluation? The order > it appears in config file? Should not one of the priorities be changed > to (filter + 1) or the rules moved to the filter table? Move them to the "filter" table, no need to define a new chain. Chains are somewhat expensives: one of the good things about nftables is that you can define the chains that you need. Chains whose priority is filter (0) see packets with the conntrack information. Anything from priority -200 onwards (INT_MAX) have access to the conntrack information. Priorities from INT_MIN to -199 see no conntrack information (what it used to be the "raw" table semantics). In nftables, tables have no specific semantics anymore, it's the chain priority that specifies what semantics apply to your basechain. Thanks.
