Re: Is it possible to change a chains default policy when rules are already present?

Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx> · Fri, 14 Aug 2020 16:37:47 +0200



On Fri, Aug 14, 2020 at 01:21:08PM +0000, Andreas Hoefler wrote:
> > Daniel <tech@xxxxxxxxxx> wrote:
> > >
> > > Le 14/08/2020 à 13:36, Reindl Harald a écrit :
> > > >
> > > > Am 14.08.20 um 13:21 schrieb Daniel:
> > > > > Le 14/08/2020 à 13:07, Pablo Neira Ayuso a écrit :
> > > > > > On Thu, Aug 13, 2020 at 12:28:34PM +0000, Andreas Hoefler wrote:
> > > > > > > Hi
> > > > > > >
> > > > > > > I have a chain with default policy drop.
> > > > > > > I would like to first have the default policy set to accept, 
> > > > > > > then add rules and later change it to drop.
> > > > > > > Is this possible?
> > > > > > For the record:
> > > > > >
> > > > > >    nft add chain x y { policy accept\; }
> > > > > >
> > > > > > Assuming an existing basechain 'y'. The backlash (\) before the 
> > > > > > semicolon is there in case of invoking this from bash.
> > > > >  From bash how to you set priority leaded by - like priority -150 
> > > > > \; We always get invalid option
> > > > >
> > > > > dh@peech:~$ sudo nft add chain ip6 mangle output { type nat hook 
> > > > > prerouting priority -350 \; policy accept \; }
> > > > > nft: invalid option -- '3'
> > > > because you don't escape - with \-
> > > I already tested by escaping - sign, same error
> > > > don't nft understand quoted params?
> > > >
> > > > nft add chain ip6 mangle output "{ type nat hook prerouting priority
> > > > -350 ; policy accept ; }"
> > > Not working either
> > >
> > > dh@peech:~$ sudo nft add chain ip6 mangle prerouting "{ type nat hook 
> > > prerouting priority -350 ; policy accept ; }"
> > > Error: Could not process rule: Operation not supported add chain ip6 
> > > mangle prerouting { type nat hook prerouting priority -350; policy 
> > > accept; }
> > 
> > Historic artifact, try a value larger than -200, e.g. -199.
> > I've sent a patch to zap this outdated check.
> 
> Didn't work for me either:
> #nft add chain ip6 x y {type filter hook input priority \-100\;}
> nft: invalid option -- '1'

This is fixed in recent nftables version there is no need to disable
the getopt_long() parser anymore via --

nft -- add chain ip6 x y {type filter hook input priority -100 \;}

see:

commit fb9cea50e8b370b6931e7b53b1a881d3b95b1c91
Author: Pablo Neira Ayuso <pablo@xxxxxxxxxxxxx>
Date:   Fri Dec 13 11:32:46 2019 +0100

    main: enforce options before commands