Dear Netfilter Team,
I would like to propose a correction to the following Wiki page.
https://wiki.nftables.org/wiki-nftables/index.php/Configuring_chains#Base_chain_priority
After the code block, the following sentence reads:
"If priority of the 'input chain' above would be changed to -1, all
packets would be dropped. "
This sentence is incorrect. All packets will be dropped, regardless of
the priority. Because within the same hook, a "drop" action always
takes precedence over "accept". Even if the "drop" is in a chain with
a later priority.
* I have attached an example illustrating this. If you load this
ruleset with nft, browsing the web is impossible. Regardless of
whatever priority value you choose.
* I have previously submitted a bug report about this behavior. I
don't believe Netfilter was intended to work this way.
Either way, I feel the wiki should be updated for accuracy. That way
readers understand how Netfilter is currently working, with regard to
drop and priority.
Please let me know if you have any questions. I would be happy to
discuss further, meet online, etc.
Brian Pond
--
Brian Pond
Datahenge LLC
Business Software Consultant
Web: www.datahenge.com
Email: brian@xxxxxxxxxxxxx
Tel: 509-808-3255
#!/usr/sbin/nft -f
flush ruleset
table inet filter {
chain input {
type filter hook input priority 0; policy accept;
}
chain ssh {
type filter hook output priority 0; policy accept;
tcp dport 80 accept;
tcp dport 443 accept;
}
chain output {
type filter hook output priority 15; policy drop;
# Priority does not matter; outbound packets will *always* be dropped.
# Drop is acting like a global, terminating action across the entire hook.
}
}
